CSP Analyser

Appearance

CSP Analyser

Generate production-ready CSP headers automatically

Get Started
CLI Reference
View on GitHub

Headless Crawling

Automatically crawl your site with a deny-all report-only CSP, capturing every violation. Playwright-powered with configurable depth, page limits, and authentication support.

MCP Server for AI Agents

Expose the full pipeline as an MCP server over stdio. AI coding agents can generate, score, and diff CSP policies without leaving their workflow.

9 Export Formats

Export your policy as a raw header, HTML meta tag, Nginx config, Apache config, Cloudflare Workers, Cloudflare Pages, Azure Front Door (Bicep), Helmet.js, or structured JSON.

What is CSP Analyser?

Content Security Policy headers are one of the strongest browser-side defences against XSS and data injection attacks, but writing them by hand is tedious and error-prone. CSP Analyser automates the process:

  1. Crawl your website with a deny-all Content-Security-Policy-Report-Only header
  2. Capture every violation the browser reports (scripts, styles, images, fonts, frames, etc.)
  3. Generate a minimal, correct policy that allows exactly the resources your site needs
  4. Export the policy in the format your server or CDN expects

The tool runs entirely on your local machine. No data is sent to any external service.

Who is it for?

  • Web developers who need to add or tighten a CSP header before shipping to production
  • Security engineers auditing existing CSP deployments for gaps or overly permissive rules
  • DevOps teams integrating CSP generation into CI/CD pipelines
  • AI coding agents that need a structured tool for CSP analysis via the MCP server

Key use cases

Use caseCommand
Generate a CSP for a live websitecsp-analyser crawl
Audit an existing CSP deploymentcsp-analyser audit
Generate a CSP for static HTML (no browser)csp-analyser hash-static
Browse a SPA manually and capture violationscsp-analyser interactive
Score a policy against best practicescsp-analyser score
Compare policies across crawl sessionscsp-analyser diff

Supported output formats

Export your generated policy in any of these formats:

header | meta | nginx | apache | cloudflare | cloudflare-pages | azure-frontdoor | helmet | json

See Export Formats for examples and deployment instructions.

CLI vs MCP server

CSP Analyser ships as both a standalone CLI and an MCP server for AI coding agents:

  • CLI — Run from your terminal. Ideal for local development, scripting, and CI/CD integration.
  • MCP Server — Expose the full pipeline as structured tools over stdio. AI agents like Claude Code and Cursor can crawl, generate, score, and export CSP policies without leaving their workflow.

Authentication support

Need to analyse a site behind login? CSP Analyser supports:

  • Playwright storage state files for cookie/session-based auth
  • Interactive login via a headed browser window
  • Raw cookie injection for automated pipelines

See the Authentication guide for details.


Released under the MIT License.

Copyright © MakerX