Validation Scans

Validation scans test your generated CSP policy against your live website to ensure it won't break functionality when deployed.

What is a Validation Scan?

A validation scan:

  • Injects your CSP policy into your live website
  • Loads each configured page with the policy in enforce mode
  • Detects any violations that would occur
  • Reports missing sources or policy issues

This allows you to catch problems before deploying the policy to production.

Why Validate Before Deploying?

Deploying a CSP policy that blocks legitimate resources will:

  • Break functionality on your site
  • Prevent scripts, styles, or images from loading
  • Cause a poor user experience
  • Potentially break critical features

Validation scans help you identify and fix these issues in a safe, controlled environment.

How Validation Scans Work

When you run a validation scan:

  1. Policy injection - ScriptAttest injects your generated CSP policy as a header
  2. Page loading - A headless browser loads each configured page
  3. Violation detection - The browser reports any CSP violations
  4. Analysis - ScriptAttest analyzes violations and identifies missing sources
  5. Reporting - Results are displayed in your dashboard

Running a Validation Scan

To run a validation scan:

  1. Generate your CSP policy (or use an existing one)
  2. Navigate to the CSP Management tab
  3. Click Start Validation Scan
  4. Wait for the scan to complete (typically 30-60 seconds per page)
  5. Review the validation results

Understanding Validation Results

Validation results show:

Violations Detected

Each violation includes:

  • Violated directive - Which CSP rule was violated (e.g., script-src, img-src)
  • Blocked URI - The resource that was blocked
  • Document URI - The page where the violation occurred
  • Source file - The script that tried to load the blocked resource

Missing Sources

Validation scans identify sources that:

  • Were not discovered in the initial discovery scan
  • Load conditionally or after user interaction
  • Are needed but not approved

Pass/Fail Status

Each page gets a pass/fail status:

  • Pass - No violations detected, policy is safe to deploy
  • Fail - Violations detected, policy needs adjustment

Fixing Validation Issues

When validation finds violations:

  1. Review violations - Check each violation to understand what was blocked
  2. Approve missing sources - If the blocked resource is legitimate, approve it
  3. Regenerate policy - Create a new policy with the updated sources
  4. Re-validate - Run another validation scan to confirm fixes

Common Validation Issues

Missing Third-Party Scripts

Problem: A third-party script loads conditionally and wasn't discovered initially.

Solution: Approve the domain or hash, then regenerate and re-validate.

Dynamic Inline Scripts

Problem: Inline scripts with dynamic content have different hashes each time.

Solution: Either approve 'unsafe-inline' for that directive or refactor to use external scripts.

Conditional Resources

Problem: Resources that only load after user interaction or based on A/B tests.

Solution: Approve these sources proactively or use report-only mode initially to catch them.

Multi-Page Validation

Validation scans test all configured pages. This ensures:

  • Your policy works across your entire site
  • Page-specific resources are accounted for
  • No pages break when the policy is deployed

Validation vs. Discovery

Discovery scans find what resources your site uses. Validation scans test if your policy allows those resources.

You should:

  1. Run a discovery scan to find all resources
  2. Approve necessary sources
  3. Generate a policy
  4. Run a validation scan to test the policy
  5. Fix any issues and re-validate
  6. Deploy once validation passes

Best Practices

  • Always validate before deploying - Never skip validation
  • Validate all pages - Include all critical pages in validation
  • Fix issues iteratively - Address violations one at a time
  • Re-validate after changes - Run validation again after approving new sources
  • Use report-only first - Deploy in report-only mode even after validation passes

Next Steps

After validation passes:

  1. Deploy your policy to your server
  2. Start with report-only mode
  3. Monitor violations in production
  4. Switch to enforce mode once confident