Source Management

After a discovery scan, you need to review and approve or reject each discovered source. This determines what will be allowed in your Content Security Policy.

Understanding Source Approval

Every external resource discovered during a scan needs to be explicitly approved or rejected. Approved sources will be included in your CSP policy, while rejected sources will be blocked.

This granular control allows you to:

Block unwanted third-party scripts (trackers, ads, etc.)
Allow only trusted domains
Use hash-based approvals for inline scripts
Maintain a strict security posture

Approval Methods

1. Domain Approval

Approving a domain allows all resources from that domain. This is the most common method for third-party services like:

Google Analytics (www.google-analytics.com)
CDNs (cdn.jsdelivr.net)
Font providers (fonts.googleapis.com)

When to use: When you trust all content from a domain and expect to load multiple resources from it.

2. Hash Approval

Hash approval allows a specific inline script or style by its SHA-256 hash. This is ideal for:

Inline scripts that don't change
Configuration scripts
One-time initialization code

When to use: When you have inline scripts/styles that are static and you want to avoid 'unsafe-inline'.

Note: If an inline script's content changes, its hash changes too. You'll need to approve the new hash or use 'unsafe-inline' for dynamic content.

3. Unsafe Approvals

For cases where you need 'unsafe-inline' or 'unsafe-eval', you can approve these directives. However, this significantly weakens your CSP:

'unsafe-inline' - Allows all inline scripts and styles
'unsafe-eval' - Allows eval() and Function() constructor

When to use: Only when absolutely necessary and after exploring alternatives. See our guide on eliminating eval().

Bulk Operations

ScriptAttest provides several bulk operations to speed up source management:

Approve Domain

Approve all sources from a specific domain at once. Useful when you discover multiple resources from the same trusted provider.

Reject Domain

Reject all sources from a domain. Use this to block unwanted trackers or third-party services.

Skip All

Mark all pending sources as "skipped". Skipped sources won't be included in policy generation but also won't be explicitly blocked.

Reviewing Sources

When reviewing discovered sources, consider:

Is this source necessary? - Remove unnecessary third-party scripts when possible
Is the domain trusted? - Only approve domains you trust
What does it do? - Check the source URL and purpose before approving
Is there an alternative? - Consider self-hosting or using a different provider

Common Sources

Here are some common sources you might encounter:

Analytics

www.google-analytics.com - Google Analytics
www.googletagmanager.com - Google Tag Manager
cdn.segment.com - Segment analytics

CDNs

cdn.jsdelivr.net - jsDelivr CDN
cdnjs.cloudflare.com - Cloudflare CDN
unpkg.com - unpkg CDN

Fonts

fonts.googleapis.com - Google Fonts
fonts.gstatic.com - Google Fonts static files
use.typekit.net - Adobe Fonts

Source Status

Each source can have one of the following statuses:

Pending - Discovered but not yet approved or rejected
Approved - Will be included in the CSP policy
Rejected - Will be explicitly blocked by CSP
Skipped - Not included in policy generation

Updating Sources

You can change a source's status at any time:

Navigate to the Sources tab
Find the source you want to update
Click the action button (Approve/Reject/Skip)
Regenerate your policy to apply changes

Best Practices

Start strict - Only approve sources you absolutely need
Review regularly - Periodically review approved sources and remove unused ones
Use hashes when possible - Prefer hash-based approvals over 'unsafe-inline'
Document decisions - Note why you approved or rejected sources for future reference
Monitor violations - Use violation reports to identify missing sources

Next Steps

After managing your sources: