This tool scans and analyzes the Content Security Policy (CSP) of a given website. It provides two main functionalities:
-
--scan: Fetches and displays the current CSP from HTTP headers and<meta>tags. -
--suggest: Analyzes the resources loaded by the site and suggests a CSP based on the domains used for scripts, styles, and fonts.
npm install -g csp-scannernpx csp-scanner --scan <URL>
npx csp-scanner --suggest <URL>Alternatively, if installed globally:
csp-scanner --scan <URL>
csp-scanner --suggest <URL>This command scans a website for existing CSP policies. It extracts CSP directives from both HTTP headers and <meta> tags and provides security recommendations if weaknesses are found.
Example:
csp-scanner --scan https://example.comThis command analyzes the resources loaded by the website and suggests a CSP based on actual network requests.
Note: This feature uses Chrome DevTools Protocol (CDP) via chrome-remote-interface, which requires Chrome to be running in debugging mode.
-
Start Chrome with the remote debugging port enabled:
google-chrome --remote-debugging-port=9222
(On Windows, adjust the path accordingly.)
-
Run the
--suggestcommand:csp-scanner --suggest https://example.com
- Running Chrome with remote debugging mode enabled may expose it to external access if not properly configured.
- Ensure the debugging port is not exposed to the public (e.g., use
--remote-debugging-address=127.0.0.1).
🔍 Scanning CSP for: https://example.com
✅ CSP found in headers:
Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.example.com;
...
✅ Scan complete.
🔍 Suggesting CSP for: https://example.com
🔍 Analyzing resources for: https://example.com
🔹 Scripts:
--------------------------------------------------
Domain
--------------------------------
https://cdn.example.com
https://thirdparty.com
🔧 To ensure proper CSP, add these domains to your script-src directive:
✅ Analysis complete.
ISC