npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@makerx/csp-analyser

v1.3.0

Published

Headlessly browse websites with a deny-all report-only CSP, capture violations, and generate production-ready CSP policies

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

patrick.dinhpatrick.dinhmakerx-engineeringmakerx-engineeringmakerxusermakerxuserplebsoriplebsorivatsalyagoelvatsalyagoel

Keywords

cspcontent-security-policysecuritymcpplaywright

Readme

CSP Analyser

Automatically generate production-ready Content Security Policy headers by crawling your website. CSP Analyser headlessly browses a target site with a deny-all report-only CSP, captures every violation, and produces a minimal, correct policy you can deploy immediately.

Available as a CLI and as an MCP server for AI coding agents (Claude Code, Cursor, Windsurf, Copilot).

Features

  • Headless crawling with configurable depth and page limits
  • Interactive mode for manual browsing with live violation capture
  • Authentication support (storage state with sessionStorage capture, manual login, raw cookies)
  • Dual violation capture (DOM events + HTTP reporting endpoint)
  • Smart policy optimization (common sources factored into default-src)
  • Nonce generation replacing unsafe-inline with nonce- placeholders
  • Full inline content hash extraction (scripts, styles, event handlers, style attributes)
  • Hash-based unsafe-inline removal using SHA-256/384/512 hashes
  • unsafe-eval stripping for iterative hardening
  • strict-dynamic support for script loading
  • Auto-collapse excessive hashes to unsafe-inline (configurable threshold)
  • Static site mode: detects static hosting and disables nonce suggestions
  • Static React/Expo profile: keeps scripts hash-strict while allowing scoped style-src-attr fallback for hash-heavy static exports
  • Hash stability analysis: warns when hashes are build-specific and impractical
  • unsafe-eval source attribution: identifies which dependencies require eval()
  • Session diffing to compare policy changes over time
  • Policy scoring and security grading
  • Permissions-Policy header capture
  • Export to 9 formats: HTTP header, <meta> tag, nginx, Apache, Cloudflare Workers, Cloudflare Pages, Azure Front Door (Bicep), Helmet.js, JSON
  • Browserless static-site mode (hash-static): scan built HTML files on disk and inject the policy directly — no Playwright, CI-friendly

Install

npm install -g @makerx/csp-analyser

Then install the browser dependency:

csp-analyser setup

Requires Node.js 20+.

Quick start

Crawl a public site and generate a CSP header:

csp-analyser crawl https://example.com

Crawl with authentication (Playwright storage state):

csp-analyser crawl https://example.com --storage-state auth.json

Interactive mode for sites that need manual navigation:

csp-analyser interactive https://example.com

Save your auth session for later headless crawls:

csp-analyser interactive https://example.com --save-storage-state auth.json

Have a static-site build on disk? Generate the policy from HTML files without launching a browser:

npm run build                             # your framework's build (VitePress, Next.js static export, Astro, etc.)
csp-analyser hash-static dist/ --inject   # hashes inline content and writes <meta> into every <head>

CLI commands

| Command | Description | | -------------------------- | ------------------------------------------------------------ | | crawl <url> | Headless crawl and generate policy | | interactive <url> | Manual browsing with violation capture | | audit <url> | Audit an existing CSP deployment and generate updated policy | | hash-static <path>... | Hash inline content in built HTML files, no browser required | | generate <session-id> | Regenerate policy from a previous session | | export <session-id> | Export policy in a specific format | | diff <id1> <id2> | Compare policies between two sessions | | score <session-id> | Score a generated policy | | permissions <session-id> | Show captured Permissions-Policy headers | | sessions | List sessions for the current project | | setup | Install browser and check dependencies | | start | Run the MCP server over stdio (for AI agents) |

Common flags

--depth <n>             Crawl depth (default: 1)
--max-pages <n>         Maximum pages to visit (default: 10)
--strictness <level>    strict | moderate | permissive (default: moderate)
--format <fmt>          header | meta | nginx | apache | cloudflare |
                        cloudflare-pages | azure-frontdoor | helmet | json
--nonce                 Replace unsafe-inline with nonce placeholders
--strict-dynamic        Add strict-dynamic alongside nonces (implies --nonce)
--hash                  Remove unsafe-inline when hash sources are available
--strip-unsafe-eval     Remove unsafe-eval from the generated policy
--collapse-hash-threshold <n>  Collapse hashes to 'unsafe-inline' when count
                        exceeds <n> per directive
--static-site           Target is a static site (disables nonce suggestions)
--static-profile <p>    Static framework profile: react-expo
--storage-state <path>  Playwright storage state file for auth
--cookies <json>        Raw cookies as JSON string
--manual-login          Open browser for manual login before crawl
--report-only           Generate report-only header
--project <name>        Override auto-detected project name
--all                   Show sessions from all projects (sessions command)
--no-color              Disable colored output

MCP server

CSP Analyser exposes an MCP server for AI coding agents over stdio:

csp-analyser start

Add to your MCP client config (e.g. Claude Code mcp.json):

{
  "mcpServers": {
    "csp-analyser": {
      "command": "csp-analyser",
      "args": ["start"]
    }
  }
}

The MCP server provides 12 tools for starting sessions, crawling URLs, hashing static HTML builds, generating policies, exporting in various formats, diffing sessions, scoring policies, inspecting sessions, listing sessions, querying violations, reading Permissions-Policy headers, and auditing existing CSP deployments.

Static sites (no browser)

For statically-built sites where all inline content is emitted at build time, hash-static avoids the Playwright crawl entirely. It scans HTML files on disk, hashes every inline <script>, <style>, style="" attribute, and on*="" event handler (including empty-string values, which browsers still evaluate against CSP), and either emits the policy or writes it directly into each <head> as a <meta> tag.

csp-analyser hash-static docs/.vitepress/dist --inject

Typical package.json usage:

{
  "scripts": {
    "build": "vitepress build docs && csp-analyser hash-static docs/.vitepress/dist --inject"
  }
}

For content that framework JS injects at runtime (not present in the built HTML), capture those hashes once via crawl and feed them back:

csp-analyser hash-static dist/ --inject \
  --extra "style-src-elem='sha256-runtimeInjectedStyleHash='" \
  --extra "script-src-elem='sha256-runtimeInjectedScriptHash='"

Or export a crawl as JSON and merge the whole policy at once:

csp-analyser export --format json > crawl-policy.json
csp-analyser hash-static dist/ --inject --merge-json crawl-policy.json

Export formats

HTTP header:

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com

nginx:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com" always;

Apache:

Header always set Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com"

Cloudflare Workers, Cloudflare Pages, Azure Front Door (Bicep), Helmet.js, <meta> tag, JSON are also supported. See the docs for examples.

Documentation

Full documentation is available at cspanalyser.com.

Development

npm install
npx playwright install chromium
npm run build
npm run test

License

MIT