Assets | Csp

A Content Security Policy (CSP) turns that chaos into control. By defining exactly which assets (scripts, styles, fonts, images) are allowed to execute, you stop malicious code from running—even if it sneaks into your HTML.

✅ Allow 'self' ✅ Hash inline scripts ✅ Nonce dynamic tags ❌ Block 'unsafe-inline' csp assets

Most teams can't answer this instantly. Between first-party code, analytics tags, chatbots, and font CDNs, the list of grows daily. A Content Security Policy (CSP) turns that chaos

echo -n "alert('safe')" | openssl dgst -sha256 -binary | base64 Output: 'sha256-abc123...' images) are allowed to execute

const crypto = require('crypto'); const nonce = crypto.randomBytes(16).toString('base64'); res.setHeader('Content-Security-Policy', `script-src 'nonce-$nonce'`);

# Crawl your site to list all assets csp-scanner scan https://yoursite.com --output assets.json