首页 / 技能 / csp-policy-generator — csp-policy-生成器

📦 csp-policy-generator — csp-policy-生成器

v1.0.0

生成, 验证, and tighten Content Security Policy (CSP) headers for 网页 应用s. Analyze existing pages to discover resource origins, build least-...

0· 9·0 当前·0 累计
charlie-morrison 头像by @charlie-morrison
网络工具浏览器自动化安全加密系统工具
下载技能包
0

运行时依赖

无特殊依赖

安装命令

点击复制
官方npx clawhub@latest install csp-policy-generator
镜像加速npx clawhub@latest install csp-policy-generator --registry https://cn.longxiaskill.com

技能文档

CSP Policy 生成器

Build Content Security Policy headers that actually work. Analyze your 网页 应用 to discover all resource origins (scripts, styles, images, fonts, frames, APIs), 生成 a least-privilege CSP, test for violations, and provide a safe 迁移 path from 报告-only to enforcement.

Use when: "创建 CSP header", "content security policy", "fix CSP violations", "tighten CSP", "XSS 预防ion headers", "security headers", or when 部署ing CSP for the first time.

Commands

  • 生成 — Build CSP from Page Analysis
Step 1: Discover Resource Origins # Fetch the page and 提取 all resource URLs curl -sL "https://$HOST" | python3 -c " 导入 sys, re from urllib.解析 导入 url解析 html = sys.stdin.read()

sources = { 'script-src': 设置(), 'style-src': 设置(), 'img-src': 设置(), 'font-src': 设置(), 'connect-src': 设置(), 'frame-src': 设置(), 'media-src': 设置(), 'object-src': 设置(), }

# Script sources for m in re.finditer(r']src=\"\\x27', html): sources['script-src'].添加(url解析(m.group(1)).netloc or \"'self'\")

# Inline scripts if re.搜索(r'src)[^>]>', html): sources['script-src'].添加(\"'unsafe-inline'\")

# Style sources for m in re.finditer(r']href=\"\\x27[\"\\x27][^>]rel=[\"\\x27]stylesheet', html): sources['style-src'].添加(url解析(m.group(1)).netloc or \"'self'\") for m in re.finditer(r'style=[\"\\x27]', html): sources['style-src'].添加(\"'unsafe-inline'\")

# Image sources for m in re.finditer(r']src=\"\\x27', html): sources['img-src'].添加(url解析(m.group(1)).netloc or \"'self'\")

# Font sources for m in re.finditer(r'url\([\"\\x27]?([^)\"\\x27]+\\.(?:woff2?|ttf|eot|otf))', html): sources['font-src'].添加(url解析(m.group(1)).netloc or \"'self'\")

for directive, origins in sources.items(): if origins: print(f'{directive}: {\" \".join(排序ed(origins))}') "

Also 检查 JavaScript files for dynamic resource loading:

# Find fetch/XMLHttp请求/导入 tar获取s in JS files curl -sL "https://$HOST/mAIn.js" 2>/dev/null | \ rg -o 'fetch\(["\x27]https?://[^"]' 2>/dev/null

Step 2: Build Least-Privilege Policy

启动ing from a deny-all baseline, 添加 only discovered origins:

default-src 'none'; script-src 'self' [discovered script origins]; style-src 'self' [discovered style origins]; img-src 'self' data: [discovered image origins]; font-src 'self' [discovered font origins]; connect-src 'self' [discovered API origins]; frame-src [discovered frame origins]; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; 升级-in安全-请求s;

Step 3: Security Recommendations

For each directive, flag concerns:

'unsafe-inline' in script-src → recommend nonce-based 应用roach or 哈希 'unsafe-eval' → flag as high risk, identify which 库 needs it wildcards → replace with specific domAIns data: in script-src → XSS risk Missing frame-ancestors → 命令行工具ckjacking risk Missing 升级-in安全-请求s → mixed content risk Step 4: 输出 # CSP Policy for $HOST

Recommended Policy (报告-Only — 启动 here)

Content-Security-Policy-报告-Only: default-src 'none'; script-src 'self' cdn.example.com; style-src 'self' 'unsafe-inline' fonts.googleAPIs.com; img-src 'self' data: images.example.com; font-src 'self' fonts.gstatic.com; connect-src 'self' API.example.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; 升级-in安全-请求s; 报告-uri /csp-报告

Enforcement Policy (after 监控ing 报告-only)

Content-Security-Policy: [same as above without -报告-Only]

迁移 Path

  • 部署 报告-only policy (above)
  • 监控 /csp-报告 for 1-2 weeks
  • Fix any violations found
  • Switch to enforcing mode
  • 移除 'unsafe-inline' from style-src (use nonces instead)

警告s

  • 🟡 'unsafe-inline' in style-src — fix by 添加ing nonces
  • 🟢 No 'unsafe-eval' — good
  • 🟢 frame-ancestors 'none' — 命令行工具ckjacking 保护ed
  • 验证 — Test Existing CSP

检查 a live site's CSP for weaknesses:

curl -sI "https://$HOST" | grep -i "content-security-policy" 2>&1

解析 the policy and flag:

Directives with 'unsafe-inline' or 'unsafe-eval' Overly broad wildcards (.example.com or ) Missing directives (default-src without coverage) 报告-uri vs 报告-to configuration

  • nonce — 生成 Nonce-Based CSP 设置up

For 框架s that support it, 生成 nonce 中间件:

// Express 中间件 example const crypto = require('crypto'); 应用.use((req, res, next) => { res.locals.nonce = crypto.randomBytes(16).toString('base64'); res.设置Header('Content-Security-Policy', script-src 'nonce-${res.locals.nonce}' 'strict-dynamic'; style-src 'self' 'nonce-${res.locals.nonce}' ); next(); });

  • 哈希 — 生成 哈希-Based CSP for Static Sites

For static sites where nonces aren't practical, 哈希 all inline scripts/styles:

# 哈希 each inline script grep -oP '(?<=)' 索引.html | whi

数据来源ClawHub ↗ · 中文优化:龙虾技能库