Guides

In-depth guides for getting the most out of CSP Analyser. These cover the decisions you'll face after running your first crawl — how to handle authenticated pages, choose the right strictness level, interpret your policy score, and integrate CSP generation into your deployment pipeline.

If you're just getting started, begin with the Quick Start to generate your first policy, then come back here to fine-tune it.

Authentication

Most real-world sites require login. CSP Analyser supports Playwright storage state files, interactive browser login, and raw cookie injection so you can analyse protected pages without weakening your test.

• Authentication guide — Step-by-step setup for each method

Policy tuning

The generated policy is controlled by two main levers: strictness level and post-generation options like nonces, hashes, and strict-dynamic. These guides explain the trade-offs.

• Strictness Levels — How strict, moderate, and permissive affect the generated directives
• Understanding Scores — The 100-point scoring scale, grade boundaries, and how to improve your score

Deployment

Once you have a policy you're happy with, export it in the format your infrastructure expects and optionally automate future runs.

• Export Formats — All output formats with examples for nginx, Apache, Cloudflare, Azure Front Door, Helmet, and more
• CI/CD Integration — Run CSP Analyser in GitHub Actions and other CI pipelines to catch regressions automatically

Advanced scenarios

Handling real-world edge cases: CSS-in-JS hash explosions, static hosting without nonces, eval() attribution, and option interactions.

• Advanced Scenarios — Hash collapsing, static site mode, unsafe-eval source attribution, and how --hash, --collapse-hash-threshold, and --strip-unsafe-eval interact