← Back to all products
$19
CSP Builder
Build Content Security Policy headers from presets, test against live URLs, and generate violation reports.
JSONMarkdownPython
📄 Product Preview
Try the interactive reader and demo tools below, or get the full product with all content unlocked.
📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample📁 File Structure 10 files
csp-builder/
├── LICENSE
├── README.md
├── examples/
│ └── csp_config.json
├── free-sample.zip
├── guide/
│ ├── 01_features.md
│ ├── 02_quick-start.md
│ ├── 03_configuration-reference.md
│ └── 04_license.md
├── index.html
└── src/
└── csp_builder.py
📖 Documentation Preview README excerpt
CSP Builder
Build Content Security Policy headers from presets or config files. Test policies against live URLs and generate violation report configurations. Stop XSS before it starts.
Features
- Directive generator — covers all standard CSP directives (default-src, script-src, style-src, etc.)
- Preset policies — strict, moderate, and permissive presets for quick starts
- Policy tester — validate a URL's existing CSP headers and identify gaps
- Violation reporting — configure report-uri and report-to directives
- Nonce generation — create cryptographic nonces for inline scripts and styles
- Multiple output formats — HTTP header string or HTML
tag - Config file support — version-control your CSP policies as JSON
- Directive reference — built-in documentation for every CSP directive
Requirements
- Python 3.10+
- No external dependencies (stdlib only)
Quick Start
# Generate a strict CSP header
python src/csp_builder.py --preset strict
# Build from a config file
python src/csp_builder.py --config examples/csp_config.json --output csp_header.txt
# Test a live URL's CSP
python src/csp_builder.py --test --url https://example.com
Output
Outputs a ready-to-use CSP header string (e.g., Content-Security-Policy: default-src 'none'; script-src 'self'; ...) or an HTML meta tag equivalent. Test mode shows the existing policy with gap analysis.
Configuration Reference
Define your policy in JSON (see examples/csp_config.json):
{
"directives": {
"default-src": ["'none'"],
"script-src": ["'self'", "https://cdn.example.com"],
"style-src": ["'self'", "'unsafe-inline'"],
"img-src": ["'self'", "data:"],
"connect-src": ["'self'", "https://api.example.com"],
"font-src": ["'self'"],
"frame-ancestors": ["'none'"]
},
"report_uri": "https://report.example.com/csp"
}
| Directive | Description |
|---|---|
default-src | Fallback for all fetch directives |
script-src | JavaScript execution sources |
... continues with setup instructions, usage examples, and more.
📄 Code Sample .py preview
src/csp_builder.py
#!/usr/bin/env python3
"""
CSP Builder — Security Kit (DataNest)
Builds Content Security Policy headers with directive generation,
violation reporting, and policy testing.
Usage:
python csp_builder.py --preset strict
python csp_builder.py --config csp_config.json --output csp_header.txt
python csp_builder.py --test --url https://example.com
Dependencies: Python 3.10+ stdlib only (no pip packages)
License: MIT
"""
from __future__ import annotations
import argparse
import json
import logging
import sys
import urllib.request
import urllib.error
from dataclasses import dataclass, field
from datetime import datetime, timezone
from pathlib import Path
from typing import Any
# ---------------------------------------------------------------------------
# Constants
# ---------------------------------------------------------------------------
logger = logging.getLogger("csp_builder")
# All CSP directives and their descriptions
CSP_DIRECTIVES: dict[str, str] = {
"default-src": "Fallback for all fetch directives not explicitly set",
"script-src": "Controls JavaScript execution sources",
"style-src": "Controls CSS stylesheet sources",
"img-src": "Controls image loading sources",
"font-src": "Controls web font loading sources",
"connect-src": "Controls XMLHttpRequest, fetch, WebSocket origins",
"media-src": "Controls audio and video sources",
"object-src": "Controls Flash, Java applet sources (should be 'none')",
"frame-src": "Controls iframe embedding sources",
"frame-ancestors": "Controls who can embed this page in iframes",
"base-uri": "Controls the document base URL",
"form-action": "Controls form submission targets",
"worker-src": "Controls Web Worker and Service Worker sources",
# ... 379 more lines ...