Content Security Policy
Checks for Content-Security-Policy header and validates directives
Checks for Content-Security-Policy header and validates directives
| Rule ID | security/csp |
| Category | Security |
| Scope | Site-wide |
| Severity | warning |
| Weight | 6/10 |
Solution
CSP prevents XSS attacks by restricting which resources can load. Start with a report-only policy to identify issues. Key directives: default-src ‘self’, script-src (avoid ‘unsafe-inline’), img-src, style-src, frame-ancestors. Use nonces or hashes instead of ‘unsafe-inline’ for scripts. Test thoroughly as strict CSP can break functionality.
Enable / Disable
Disable this rule
squirrel.toml
toml[rules]
disable = ["security/csp"]Disable all Security rules
squirrel.toml
toml[rules]
disable = ["security/*"]Enable only this rule
squirrel.toml
toml[rules]
enable = ["security/csp"]
disable = ["*"]