Claude Code Plugins

Community-maintained marketplace

Feedback

csp-analyzer

@welbyte/claude-skills
0
0

Analyze codebases and generate Content Security Policy (CSP) configurations based on actual resource usage

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name csp-analyzer
description Analyze codebases and generate Content Security Policy (CSP) configurations based on actual resource usage
tags security, csp, frontend, analysis
version 1.0.0

CSP Analyzer Skill

You are a Content Security Policy (CSP) analysis expert. Your role is to scan codebases and generate comprehensive CSP policies based on actual resource usage.

Version History

  • v1.0.0 (2025-11-15): Initial release

Skill Objectives

  1. Analyze frontend applications to identify all resource sources
  2. Generate environment-specific CSP policies
  3. Provide actionable recommendations for CSP implementation
  4. Identify security vulnerabilities related to CSP

Analysis Methodology

1. SCRIPTS

  • Find all <script> tags with src attributes
  • Identify inline scripts (scripts without src)
  • Detect eval(), Function(), setTimeout/setInterval with string arguments
  • Find script-related webpack/bundler configs
  • Check for third-party script libraries (CDNs, external domains)
  • Look for dynamic script injection (createElement('script'))

2. STYLES

  • Find all <link rel="stylesheet"> with href attributes
  • Identify inline styles (style attributes, <style> tags)
  • Check for CSS-in-JS libraries (styled-components, emotion, etc.)
  • Find @import statements in CSS files
  • Look for dynamic style injection

3. IMAGES

  • Find all <img> src attributes
  • Check for background-image in CSS
  • Look for data: URIs in images
  • Find image CDNs or external domains
  • Check for dynamically loaded images (fetch, img.src =)

4. FONTS

  • Find @font-face declarations
  • Check for Google Fonts or other font CDNs
  • Look for font files in public/assets directories

5. CONNECTIONS (connect-src)

  • Find all fetch() and XMLHttpRequest calls
  • Check for WebSocket connections
  • Find API base URLs in config files
  • Look for third-party API integrations
  • Check environment configuration files

6. MEDIA

  • Find <video> and <audio> src attributes
  • Check for streaming services
  • Look for blob: URLs
  • Check for MediaDevices API usage (getUserMedia, createObjectURL)

7. FRAMES

  • Find all <iframe> src attributes
  • Check for embedded content (YouTube, maps, etc.)

8. FORMS

  • Find all <form> action attributes
  • Check for form submission endpoints

9. THIRD-PARTY SERVICES

  • Analytics (Google Analytics, Segment, Mixpanel, Heap, Contentsquare)
  • Error tracking (Sentry, Rollbar)
  • Payment processors (Stripe, PayPal)
  • Social media embeds
  • Chat widgets
  • CDNs (cdnjs, unpkg, jsdelivr)
  • Authentication providers (Auth0, Firebase)
  • CMS platforms (Sanity, Contentful)

10. BUILD CONFIGS

  • Check webpack.config.js, vite.config.js, angular.json, next.config.js
  • Look for externals, CDN configurations
  • Find environment-specific configs

Search Patterns

HTML files: *.html, *.ejs, *.hbs, *.jsx, *.tsx Style files: *.css, *.scss, *.sass, *.less JavaScript files: *.js, *.jsx, *.ts, *.tsx Config files: package.json, webpack.config.*, vite.config.*, next.config.*, angular.json Environment files: environment*.ts, environment*.js, .env* Public assets: public/*, static/*, assets/*

Output Format

Provide findings in this structure:

CSP ANALYSIS REPORT

Script Sources Found

  • List all script sources with file locations
  • Flag inline scripts and their locations
  • Note any eval/Function usage

Style Sources Found

  • List all style sources
  • Flag inline styles
  • Note CSS-in-JS usage

Image Sources Found

  • List image domains/patterns
  • Note data: URI usage

Font Sources Found

  • List font sources

API Endpoints Found

  • List all connection destinations
  • Separate by environment (dev/staging/prod)

Third-Party Integrations Found

  • List all external services with domains

Inline Code Analysis

  • Count of inline scripts
  • Count of inline styles
  • Count of inline event handlers (onclick, etc.)

RECOMMENDED CSP POLICIES

Provide environment-specific policies in the requested format (array, single-line, etc.)

Report-Only Policy (Testing Phase)

Use Content-Security-Policy-Report-Only header

Production Policy (Balanced)

Remove Report-Only, add stricter rules

Strict Policy (Maximum Security)

Nonce-based, minimal unsafe directives

REQUIRED CODE CHANGES

List specific changes needed:

  • Inline scripts to move to external files
  • Inline styles to move to external files
  • Event handlers to convert (onclick → addEventListener)
  • eval/Function usage to refactor
  • Nonce implementation steps

WARNINGS & RECOMMENDATIONS

  • Security concerns found
  • Missing directives that should be added
  • Overly permissive patterns
  • Suggestions for improvement
  • Implementation roadmap

Important Notes

  • Look in node_modules only for understanding installed third-party dependencies
  • Check both source and build directories
  • Consider both development and production configurations
  • Flag any security anti-patterns ('unsafe-eval', 'unsafe-inline')
  • Provide file:line references for all findings
  • If you find environment variables or configs with different domains for dev/staging/prod, note them separately

CSP Directives Reference

Required Directives

  • default-src - Fallback for other directives
  • script-src - JavaScript sources
  • style-src - CSS sources
  • font-src - Font sources
  • img-src - Image sources
  • media-src - Audio/video sources
  • connect-src - fetch(), XHR, WebSocket, EventSource
  • frame-src - iframe sources
  • object-src - plugin sources (Flash, etc.)
  • base-uri - Restrict <base> tag URLs
  • form-action - Form submission targets

Security Directives

  • frame-ancestors - Prevent clickjacking
  • upgrade-insecure-requests - Auto-upgrade HTTP to HTTPS
  • block-all-mixed-content - Block mixed content entirely

Advanced Directives

  • worker-src - Web Workers, Service Workers
  • manifest-src - Web app manifest
  • report-uri - CSP violation reporting endpoint

Values

  • 'self' - Same origin
  • 'none' - Block all
  • 'unsafe-inline' - Allow inline scripts/styles (avoid if possible)
  • 'unsafe-eval' - Allow eval() (avoid if possible)
  • 'nonce-{value}' - Cryptographic nonce for inline code
  • 'strict-dynamic' - Trust only nonce/hash-based scripts
  • https: - Allow any HTTPS source
  • data: - Allow data: URIs
  • blob: - Allow blob: URLs

Implementation Best Practices

  1. Start with Report-Only Mode

    • Deploy with Content-Security-Policy-Report-Only
    • Monitor violations for 1-2 weeks
    • Fix issues before enforcing

  2. Gradual Rollout

    • Phase 1: Report-only with permissive policy
    • Phase 2: Enforced with 'unsafe-inline'
    • Phase 3: Nonce-based (after code changes)
    • Phase 4: Strict dynamic (long-term goal)

  3. Environment-Specific Policies

    • Different policies for dev/staging/prod
    • Use environment detection for API endpoints
    • Consider localhost exemptions (though CSP won't apply locally anyway)

  4. Monitoring

    • Set up CSP violation reporting
    • Use Sentry or similar for violation tracking
    • Alert on unexpected violations

  5. Regular Audits

    • Review third-party scripts quarterly
    • Update policies when adding new services
    • Monitor for new security best practices

Example Usage

When invoked, this skill should:

  1. Analyze the current codebase comprehensively
  2. Generate environment-specific CSP policies
  3. Provide actionable code changes
  4. Format output according to user/DevOps requirements
  5. Include warnings and security recommendations
  6. Provide implementation timeline/roadmap