Skills

content-security-policy

Installation
SKILL.md

Implement a content security policy

Content Security Policy prevents cross-site scripting (XSS), clickjacking, and data injection attacks by controlling which resources can be loaded and executed on your pages. It reduces blast radius, but it does not replace output encoding and sanitization.

Quick Reference

  • Start with Content-Security-Policy-Report-Only to test without breaking your site
  • Use nonces or hashes for inline scripts instead of unsafe-inline
  • Avoid unsafe-eval unless absolutely necessary
  • Set strict default-src then allow specific sources
  • Monitor CSP reports to catch violations
  • Sanitize untrusted HTML before rendering it into the DOM
  • Use Trusted Types in larger apps as defense in depth for DOM XSS sinks

Check

Check if this website implements a Content Security Policy header and analyze its directives. Also review any use of innerHTML, dangerouslySetInnerHTML, HTML template injection, and Trusted Types enforcement for large applications.

Fix

Installs
1
Repository
thedaviddias/fr…hecklist
GitHub Stars
73.0K
First Seen
7 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
content-security-policy — thedaviddias/front-end-checklist