score
Score a session's generated CSP policy against security best practices.
Usage
csp-analyser score [session-id] [options]When session-id is omitted, the most recent completed session for the current project is used automatically. Override the project with --project or the CSP_ANALYSER_PROJECT environment variable.
Options
| Option | Default | Description |
|---|---|---|
--strictness <level> | moderate | Strictness used when generating the policy to score. |
--project <name> | auto-detected | Override auto-detected project name for session lookup. |
Scoring system
The score starts at 100 points and applies deductions for dangerous patterns and bonuses for security best practices. The final score is clamped to the 0-100 range.
Grades
| Grade | Score range |
|---|---|
| A | 90-100 |
| B | 75-89 |
| C | 55-74 |
| D | 35-54 |
| F | 0-34 |
What it checks
Critical issues (large deductions)
| Check | Points | Trigger |
|---|---|---|
'unsafe-eval' in script directives | -30 | Allows arbitrary code execution via eval() |
'unsafe-eval' in default-src (no script-src override) | -30 | Falls through to script execution |
Wildcard * in default-src, script-src, or script-src-elem | -25 | Allows loading from any origin |
Warnings (moderate deductions)
| Check | Points | Trigger |
|---|---|---|
'unsafe-inline' in script directives | -20 | Allows inline scripts (XSS risk) |
'unsafe-inline' in default-src (no script-src override) | -20 | Falls through to inline scripts |
data: URIs in script directives | -20 | Can be used for script injection |
Missing default-src | -15 | No fallback for undeclared directives |
Wildcard * in non-critical directives | -10 | Overly permissive |
Info (minor deductions)
| Check | Points | Trigger |
|---|---|---|
Missing object-src | -5 | Plugins not blocked (unless default-src 'none') |
Missing base-uri | -5 | Base tag injection possible |
Missing form-action | -5 | Forms can submit to any origin |
Positive signals (bonuses)
| Check | Points | Trigger |
|---|---|---|
| Nonces or hashes used | +10 | Script integrity via 'nonce-...' or 'sha256-...' |
'strict-dynamic' present | +5 | Trust propagation from nonces/hashes |
| Violation reporting configured | +5 | report-uri or report-to present |
Example output
CSP Score: 75/100 (Grade: B)
Issues:
[!] 'unsafe-inline' allows inline script execution (XSS risk) (-20 pts)
[?] Missing base-uri - consider adding base-uri 'self' to prevent base tag injection (-5 pts)
Strengths:
[+] Uses nonces or hashes for script integrity (+10 pts)
[+] Violation reporting is configured (+5 pts)Finding icons:
!!= critical issue!= warning?= informational suggestion+= positive signal
Examples
Score the default policy
csp-analyser score abc123Score a strict policy
csp-analyser score abc123 --strictness strictA stricter policy typically scores higher because it avoids 'unsafe-inline' and prefers hashes. Use --hash to replace 'unsafe-inline' with SHA-256 hashes computed from the full inline content extracted during crawling, or --nonce to replace it with nonce placeholders.
Compare scores across strictness levels
for level in strict moderate permissive; do
echo "=== $level ==="
csp-analyser score abc123 --strictness $level
echo
doneWhen to use this command
Use score after any crawl, audit, or generate run to evaluate the quality of the generated Content Security Policy. The scorer checks for best practices like having a default-src, avoiding unsafe-inline and unsafe-eval, and using report-only mode appropriately. Use the score to decide whether to tighten your policy with a stricter strictness level or enable options like --nonce or --hash.