export
Export a session's CSP policy in a deployment-ready format.
Usage
csp-analyser export [session-id] [options]When session-id is omitted, the most recent completed session for the current project is used automatically. Override the project with --project or the CSP_ANALYSER_PROJECT environment variable.
Options
| Option | Default | Description |
|---|---|---|
--strictness <level> | moderate | Policy generation strictness: strict, moderate, or permissive. |
--format <fmt> | header | Output format (see below). |
--nonce | false | Replace 'unsafe-inline' with nonce placeholders. |
--strict-dynamic | false | Add 'strict-dynamic' alongside nonces. Implies --nonce. |
--hash | false | Compute SHA-256 hashes for all inline content and remove 'unsafe-inline' from directives that have hash sources. |
--strip-unsafe-eval | false | Remove 'unsafe-eval' from the generated policy even if violations were captured for it. |
--collapse-hash-threshold <n> | disabled | Collapse hashes to 'unsafe-inline' when a directive exceeds <n> hashes. |
--static-site | false | Target is a static site — disables nonce replacement. |
--report-only | false | Generate a report-only header. |
--project <name> | auto-detected | Override auto-detected project name for session lookup. |
Formats
Seven export formats are available, covering the most common deployment targets.
header (default)
A raw HTTP header string, ready to paste into any server configuration.
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'meta
An HTML <meta> tag for use in the document <head>. Directives not supported in <meta> tags (report-uri, report-to) are automatically stripped.
<meta
http-equiv="Content-Security-Policy"
content="default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'"
/>nginx
An Nginx add_header directive.
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'" always;apache
An Apache Header directive for use in .htaccess or server config.
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'"cloudflare
A Cloudflare Worker script that adds the CSP header to responses.
export default {
async fetch(request, env, ctx) {
const response = await fetch(request);
const newResponse = new Response(response.body, response);
newResponse.headers.set('Content-Security-Policy', '...');
return newResponse;
},
};cloudflare-pages
A Cloudflare Pages _headers file entry. Place the output in your public/_headers file.
/*
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.comjson
A JSON object containing the directive map, the policy string, and the report-only flag. Useful for programmatic consumption.
{
"directives": {
"default-src": ["'self'"],
"script-src": ["'self'", "https://cdn.example.com"]
},
"policyString": "default-src 'self'; script-src 'self' https://cdn.example.com",
"isReportOnly": false
}Examples
Export for Nginx
csp-analyser export abc123 --format nginx > /etc/nginx/snippets/csp.confExport as report-only for testing
csp-analyser export abc123 --format header --report-onlyOutput:
Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://cdn.example.comPipe JSON to jq
csp-analyser export abc123 --format json | jq '.directives | keys'Export Cloudflare Pages headers file
csp-analyser export abc123 --format cloudflare-pages > public/_headersWhen to use this command
Use export when you've already generated a policy via crawl, audit, or generate and need it in a specific deployment format. While crawl outputs a raw header by default, export lets you re-export any session's policy as nginx config, Apache config, Cloudflare headers, HTML meta tags, Helmet middleware config, or JSON — without re-running the analysis.