Hugo site now

src/public/index.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+  <channel>
+    <title>cspresso - Brew a Content Security Policy on cspresso</title>
+    <link>https://cspresso.cafe/</link>
+    <description>Recent content in cspresso - Brew a Content Security Policy on cspresso</description>
+    <generator>Hugo</generator>
+    <language>en</language>
+    <atom:link href="https://cspresso.cafe/index.xml" rel="self" type="application/rss+xml" />
+    <item>
+      <title>cspresso Docs</title>
+      <link>https://cspresso.cafe/docs.html</link>
+      <pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
+      <guid>https://cspresso.cafe/docs.html</guid>
+      <description>On this page Install Run Output Inline scripts &amp;amp; styles Evaluate (Report-Only) Flags Prefer canonical docs? See the README. Docs Usage cspresso crawls up to --max-pages same-origin pages in Chromium, observes what loads, and emits a draft CSP. Install Copy # Recommended pipx install cspresso # Or plain pip (use a venv) pip install cspresso # An AppImage is also available on the # git repo Releases page. Python + Playwright You need Python 3.</description>
+    </item>
+    <item>
+      <title>cspresso Evaluate</title>
+      <link>https://cspresso.cafe/evaluate.html</link>
+      <pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
+      <guid>https://cspresso.cafe/evaluate.html</guid>
+      <description>Evaluate Test a CSP before you enforce it Use --evaluate to inject a candidate policy as Content-Security-Policy-Report-Only, collect violations, and fail the run if anything would break. Copy cspresso https://example.com \ --bypass-csp \ --evaluate &#34;default-src &#39;self&#39;; script-src &#39;self&#39; https://cdn.jsdelivr.net;&#34; \ --json Exit codes 0 → no Report‑Only violations detected 1 → violations detected (ideal for CI gates) Tip: keep your CSP string quoted; it usually contains spaces and semicolons. Why --bypass-csp matters If the target site already sets an enforcing CSP, it can block loads and change runtime behaviour.</description>
+    </item>
+    <item>
+      <title>cspresso Recipes</title>
+      <link>https://cspresso.cafe/recipes.html</link>
+      <pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
+      <guid>https://cspresso.cafe/recipes.html</guid>
+      <description>Recipes Practical workflows A handful of commands that cover most real-world cspresso usage.&#xA;Draft a CSP Copy cspresso https://example.com --max-pages 10 Start here, then audit the output. Crawls won’t cover every flow (auth-only pages, conditional loads, A/B tests, etc.). Headed debugging Copy cspresso https://example.com --headed --settle-ms 2500 Useful when the site does delayed loads or you want to visually confirm what’s happening during the crawl. Sourcemaps &amp;amp; connect-src Copy cspresso https://example.</description>
+    </item>
+    <item>
+      <title>cspresso Security</title>
+      <link>https://cspresso.cafe/security.html</link>
+      <pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
+      <guid>https://cspresso.cafe/security.html</guid>
+      <description>Security Security notes cspresso runs a real browser. That’s the point - and also the main safety consideration. What cspresso does cspresso launches Chromium via Playwright and loads your target pages. The site’s JavaScript and CSS execute like a normal browser session. Network requests are observed to build a draft CSP, and (optionally) a candidate policy is injected as Report‑Only to capture violations. About --bypass-csp It can change risk Bypassing CSP strips existing CSP headers on HTML responses.</description>
+    </item>
+  </channel>
+</rss>