https://cspresso.cafe/ Recent content in cspresso - Brew a Content Security Policy on cspresso Hugo en https://cspresso.cafe/docs.html Mon, 01 Jan 0001 00:00:00 +0000 https://cspresso.cafe/docs.html On this page Install Run Output Inline scripts & styles Evaluate (Report-Only) Flags Prefer canonical docs? See the README. Docs Usage cspresso crawls up to --max-pages same-origin pages in Chromium, observes what loads, and emits a draft CSP. Install Copy # Recommended pipx install cspresso # Or plain pip (use a venv) pip install cspresso # An AppImage is also available on the # git repo Releases page. Python + Playwright You need Python 3. https://cspresso.cafe/evaluate.html Mon, 01 Jan 0001 00:00:00 +0000 https://cspresso.cafe/evaluate.html Evaluate Test a CSP before you enforce it Use --evaluate to inject a candidate policy as Content-Security-Policy-Report-Only, collect violations, and fail the run if anything would break. Copy cspresso https://example.com \ --bypass-csp \ --evaluate "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net;" \ --json Exit codes 0 → no Report‑Only violations detected 1 → violations detected (ideal for CI gates) Tip: keep your CSP string quoted; it usually contains spaces and semicolons. Why --bypass-csp matters If the target site already sets an enforcing CSP, it can block loads and change runtime behaviour. https://cspresso.cafe/recipes.html Mon, 01 Jan 0001 00:00:00 +0000 https://cspresso.cafe/recipes.html Recipes Practical workflows A handful of commands that cover most real-world cspresso usage. Draft a CSP Copy cspresso https://example.com --max-pages 10 Start here, then audit the output. Crawls won’t cover every flow (auth-only pages, conditional loads, A/B tests, etc.). Headed debugging Copy cspresso https://example.com --headed --settle-ms 2500 Useful when the site does delayed loads or you want to visually confirm what’s happening during the crawl. Sourcemaps & connect-src Copy cspresso https://example. https://cspresso.cafe/security.html Mon, 01 Jan 0001 00:00:00 +0000 https://cspresso.cafe/security.html Security Security notes cspresso runs a real browser. That’s the point - and also the main safety consideration. What cspresso does cspresso launches Chromium via Playwright and loads your target pages. The site’s JavaScript and CSS execute like a normal browser session. Network requests are observed to build a draft CSP, and (optionally) a candidate policy is injected as Report‑Only to capture violations. About --bypass-csp It can change risk Bypassing CSP strips existing CSP headers on HTML responses.