Policy Generation

Once you've approved your sources, ScriptAttest can automatically generate a strict, secure Content Security Policy tailored to your site.

How Policy Generation Works

ScriptAttest generates your CSP policy by:

  1. Collecting approved sources - Gathers all domains, hashes, and unsafe directives you've approved
  2. Organizing by directive - Groups sources by CSP directive (script-src, style-src, img-src, etc.)
  3. Applying strict mode - Optionally enforces stricter rules for scripts and styles
  4. Adding report-uri - Includes your ScriptAttest report endpoint for violation monitoring
  5. Formatting the policy - Generates the final CSP header string

Policy Options

Strict Scripts

When enabled, strict scripts mode:

  • Requires explicit domain approval for all external scripts
  • Blocks scripts from unapproved domains
  • Prevents inline scripts unless explicitly approved via hash

Recommended: Enable this for maximum security, especially for sites handling sensitive data.

Strict Styles

When enabled, strict styles mode:

  • Requires explicit domain approval for all external stylesheets
  • Blocks stylesheets from unapproved domains
  • Prevents inline styles unless explicitly approved via hash

Note: Some CSS-in-JS libraries may require 'unsafe-inline' for styles. Consider this when enabling strict mode.

Auto-Approve First-Party

When enabled, automatically approves all resources from your own domain. This is useful for:

  • Sites with many first-party resources
  • Reducing manual approval work
  • Trusting your own infrastructure

Note: Make sure your domain is correctly configured before enabling this option.

CSP Directives

ScriptAttest generates policies with the following directives:

default-src

Fallback directive for all resource types. Typically set to 'self' to allow same-origin resources.

script-src

Controls which scripts can be executed. Includes:

  • Approved domains for external scripts
  • SHA-256 hashes for approved inline scripts
  • 'unsafe-inline' or 'unsafe-eval' if approved

style-src

Controls which stylesheets can be loaded. Similar to script-src but for CSS.

img-src

Controls which images can be loaded. Includes approved domains for:

  • Image CDNs
  • Tracking pixels
  • External avatars or media

connect-src

Controls which URLs can be loaded via fetch, XHR, WebSocket, etc. Includes:

  • API endpoints
  • WebSocket connections
  • Analytics endpoints

font-src

Controls which fonts can be loaded. Typically includes:

  • Google Fonts
  • Adobe Fonts
  • Self-hosted fonts

Violation Reporting

ScriptAttest automatically adds both reporting directives for maximum browser compatibility:

  • report-to csp-endpoint - For Chrome, Edge, Brave (Reporting API v1)
  • report-uri https://scriptattest.com/api/csp/report/YOUR_TOKEN - For Firefox, Safari
Important: For Chrome/Edge/Brave to send reports, you must also add a Reporting-Endpoints header to your server. See the deployment guide for details.

Policy Modes

Report-Only Mode

In report-only mode, the CSP policy:

  • Monitors violations but doesn't block resources
  • Allows you to test policies safely
  • Sends violation reports to ScriptAttest

Use Content-Security-Policy-Report-Only header for report-only mode.

Enforce Mode

In enforce mode, the CSP policy:

  • Actually blocks violating resources
  • Provides real security protection
  • Still sends violation reports

Use Content-Security-Policy header for enforce mode.

Warning: Always test in report-only mode first. Enforcing a policy with missing sources will break your site.

Generating a Policy

To generate a policy:

  1. Ensure you've approved all necessary sources
  2. Navigate to the CSP Management tab
  3. Configure policy options (strict mode, auto-approve, etc.)
  4. Click Generate Policy
  5. Review the generated policy
  6. Copy the policy string for deployment

Policy Format

Generated policies follow the standard CSP format: 

default-src 'self'; script-src 'self' 'sha256-...' https://cdn.example.com; style-src 'self' https://fonts.googleapis.com; img-src 'self' data: https://*.example.com; connect-src 'self' https://api.example.com; font-src 'self' https://fonts.gstatic.com; report-uri https://scriptattest.com/api/csp/report/TOKEN

Updating Policies

When you approve or reject new sources, you'll need to regenerate your policy. ScriptAttest maintains a history of all generated policies, so you can:

  • View previous policy versions
  • Restore a previous policy if needed
  • Compare policy changes

Best Practices

  • Start with report-only - Deploy in report-only mode first to catch issues
  • Enable strict mode - Use strict scripts and styles for better security
  • Review before deploying - Check the generated policy makes sense
  • Test thoroughly - Use validation scans before enforcing
  • Keep policies updated - Regenerate when adding new features

Next Steps

After generating your policy:

  1. Validate the policy against your live site
  2. Deploy the policy to your server
  3. Monitor violations and refine as needed