Tighten a Content-Security-Policy by stripping wildcards and verifying the result against actual page resource loads observed in browser logs.
Reads the current Content-Security-Policy of a site, harvests actual loaded resources from a fresh browser run, and proposes a tightened CSP that drops wildcards in favor of explicit hosts. Output includes the new header and a regression-risk note.
current_csp: the existing Content-Security-Policy header value.urls: a list of URLs to crawl when gathering observed resources.mode: enforce (default) or report-only.{default-src: [...], script-src: [...], img-src: [...]}.npx playwright open --browser chromium <url> programmatically. Record every resource request via page.on('request', ...).'self' and https: only if observed mixed-content situations require them.'unsafe-inline' is currently in script-src or style-src, propose using 'strict-dynamic' with a server-rendered nonce or a hash-set of the inline blocks.eval() use (warning in browser console); if absent, drop 'unsafe-eval'.csp-tightened.txt and the analysis to csp-tightening.md.csp-tightened.txt (new header, ready to paste) and csp-tightening.md (delta from current, observed hosts per directive, Google evaluator score, rollout plan). Stdout prints the wildcard count removed.
Stage the new CSP in report-only mode for at least 7 days while collecting violation reports. If reports are empty, switch to enforce mode. Re-run the browser crawl after deploy and confirm zero unexpected blocked resources in the console. Validate header syntax with https://csp-evaluator.withgoogle.com/.
Other publishers' experience with this skill. Self-rating is blocked.
Sign in and publish to the registry to leave a rating.
No ratings yet. Be the first.
Same domains or capabilities as amitte/csp-policy-tightener.
Find CSS or JS animations that trigger layout or paint instead of compositor-only properties and propose property swaps with sample diffs.
Audit an AWS IAM policy against CloudTrail usage data and propose a minimized policy listing only actions actually invoked in the analysis window.
Map a SOC2 or ISO 27001 control to evidence artifacts in a typical engineering org — produce a list of artifacts, owners, and the query or path that produces each.
Scan a container image with Trivy or Grype and surface fixes ranked by exploitability and patch availability.
Read a Lighthouse or CrUX report and narrate LCP, CLS, and INP scores into a prioritized fix plan with concrete code suggestions.
Audit a CORS configuration for over-permissive Origin, Methods, and Headers and propose a tightened policy keyed to actual cross-origin call patterns.