generate
Regenerate a CSP policy from an existing session's violation data, without re-crawling the site.
Usage
csp-analyser generate [session-id] [options]When session-id is omitted, the most recent completed session for the current project is used automatically. The project is auto-detected from the nearest package.json, falling back to the directory name. Override with --project or the CSP_ANALYSER_PROJECT environment variable.
Options
| Option | Default | Description |
|---|---|---|
--strictness <level> | moderate | Policy generation strictness: strict, moderate, or permissive. |
--format <fmt> | header | Output format: header, meta, nginx, apache, cloudflare, cloudflare-pages, azure-frontdoor, helmet, or json. |
--nonce | false | Replace 'unsafe-inline' with nonce placeholders. |
--strict-dynamic | false | Add 'strict-dynamic' alongside nonces. Implies --nonce. |
--hash | false | Compute SHA-256 hashes for all inline content and remove 'unsafe-inline' from directives that have hash sources. |
--strip-unsafe-eval | false | Remove 'unsafe-eval' from the generated policy even if violations were captured for it. |
--collapse-hash-threshold <n> | disabled | Collapse hashes to 'unsafe-inline' when a directive exceeds <n> hashes. Useful for CSS-in-JS apps that generate thousands of dynamic inline styles. |
--static-site | false | Target is a static site — disables nonce replacement since nonces require a server to generate per-request values. |
--static-profile react-expo | -- | Static React/Expo profile: keeps scripts and <style> blocks hash-strict while allowing only excessive style-src-attr hashes to collapse to 'unsafe-inline'. Static profiles skip nonce replacement. |
--report-only | false | Generate a report-only header. |
--project <name> | auto-detected | Override auto-detected project name for session lookup. |
When to use
After running crawl or interactive, the session ID is printed in the summary. Use generate to produce a new policy from the same violation data with different settings. No need to re-crawl.
Common reasons to regenerate:
- Switch between
strict,moderate, andpermissiveto compare the resulting policies - Change the output format without re-crawling
- Toggle between enforcing and report-only modes
Examples
Change strictness
# Original crawl used moderate (default)
csp-analyser crawl https://example.com
# Session ID: abc123
# Try a stricter policy from the same data
csp-analyser generate abc123 --strictness strictCompare all three strictness levels
SESSION=abc123
echo "=== Strict ==="
csp-analyser generate $SESSION --strictness strict
echo "=== Moderate ==="
csp-analyser generate $SESSION --strictness moderate
echo "=== Permissive ==="
csp-analyser generate $SESSION --strictness permissiveGenerate as report-only
csp-analyser generate abc123 --report-onlyOutput as JSON for programmatic use
csp-analyser generate abc123 --format json | jq '.directives'Static React/Expo export
csp-analyser generate abc123 \
--hash \
--collapse-hash-threshold 10 \
--static-site \
--static-profile react-expoThe react-expo profile is for static hosts that cannot emit per-request nonces. It keeps script directives hash-based, avoids broad style-src 'unsafe-inline', and only permits the scoped style-src-attr 'unsafe-inline' fallback when the style attribute hash count exceeds the threshold.
When to use this command
Use generate when you want to rebuild a CSP policy from an existing session's violation data without re-crawling the site. This is useful when you want to try different strictness levels, toggle nonce or hash options, or adjust other policy generation settings. It's much faster than running a new crawl since it reuses the already-captured violations.