csp-scan is a Python script for constructing strict content-security-policy headers based on content of HTML files in a source directory. It looks for used sources and hrefs in HTML elements for most CSP directives and outputs the header content.
Includes a warning system for unencrypted HTTP connections.
https://www.cobalt.io/blog/csp-and-bypasses
pip3 install csp-scan
cd my-frontend-src
csp-scan
-d, --default-src
Value for default src directive. Default: self
-r, --report-uri
Report URI to post violations to.
-l, --literal-src
Include whole src paths in the CSP.
Contributions welcome!
Directive class is initiated with a name of the directive (e.g. script-src, style-src...). Uses regex to locate specific attribute in a HTML element, given an optional pre-condition or file format.
File definitions.py creates directive objects and defines their conditions through add_search_instruction method. If you want to add a directive or modify a search condition, do it there.
style_src.add_search_instruction(
tag = "link",
attribute = "href",
format = ".css"
)This instruction will find and classify this source as style-src:
<link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.0/css/font-awesome.min.css"/>But not this:
<link href="https://somecdn/js/somejsfile.js"/>style_src.add_search_instruction(
tag = "link",
attribute = "href",
condition = ("rel", "stylesheet")
)This instruction will find and classify this source as style-src:
<link
href="https://fonts.googleapis.com/css2?family=Montserrat:wght@100;400;500;600;700&display=swap"
rel="stylesheet"
/>But not this:
<link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.0/css/font-awesome.min.css"/>style_src.add_search_instruction(
tag = "link",
attribute = "href"
)This instruction would find and classify all of the above examples.