home / skills / ehtbanton / claudeskillsrepo / csp-header-generator

csp-header-generator skill

safe

/csp-header-generator

This skill generates a complete CSP header configuration adhering to CSP Level 3 to enhance web security.

npx playbooks add skill ehtbanton/claudeskillsrepo --skill csp-header-generator

Review the files below or copy the command above to add this skill to your agents.

Files (2)

SKILL.md

703 B

---
name: csp-header-generator
description: Generate Content Security Policy (CSP) header configurations for web security. Triggers on "create csp header", "generate content security policy", "csp config", "security headers".
---

# CSP Header Generator

Generate Content Security Policy configurations for enhanced web security.

## Output Requirements

**File Output:** CSP configuration or middleware code
**Format:** Valid CSP directives
**Standards:** CSP Level 3

## When Invoked

Immediately generate a complete CSP configuration for the application type.

## Example Invocations

**Prompt:** "Create CSP headers for React SPA"
**Output:** Complete CSP configuration with appropriate directives.

Overview

This skill generates Content Security Policy (CSP) header configurations tailored to application types and deployment needs. It outputs complete, valid CSP Level 3 directives or ready-to-use middleware snippets for common platforms. The goal is to reduce attack surface by providing pragmatic, secure defaults and options for incremental relaxation.

How this skill works

Provide the application type, frameworks, third-party services, and any runtime needs (inline scripts, eval, CDN usage). The skill analyzes those inputs and produces a CSP policy that balances strictness with required functionality, including report-only options and example middleware. It validates directives against CSP Level 3 semantics and includes practical comments for customization.

When to use it

Onboarding security headers for a new web app (SPA, MPA, server-rendered).
Hardening an existing site that uses external scripts, styles, or media.
Creating report-only policies to test impact before enforcement.
Providing middleware code for Express, Fastify, Cloudflare Workers, or similar.
Auditing CSP after adding third-party analytics, A/B testing, or widgets.

Best practices

Start with a strict report-only policy to detect violations before enforcing.
Prefer nonces or hashes for required inline scripts/styles instead of 'unsafe-inline'.
Limit script and style sources to explicit origins and avoid wildcard hosts.
Use 'upgrade-insecure-requests' and 'block-all-mixed-content' for mixed-content mitigation when applicable.
Maintain a short, documented allowlist for trusted CDNs and third-party services.

Example use cases

Create CSP headers for a React SPA served from a single origin with assets on a CDN.
Generate a report-only policy for a legacy MPA to discover inline script usage.
Produce Express middleware that sets CSP with nonces generated per response.
Create a CSP that allows embedded videos from specific providers but blocks other frames.
Provide a minimal CSP for an API-driven site that serves no inline scripts and only trusted third-party fonts.

FAQ

Can this generate middleware for my Node/Express app?

Yes. Request the target platform and it will output example middleware showing header setting and nonce generation.

How do I handle inline scripts?

Prefer nonces or script hashes. The skill can produce examples for generating nonces per response or computing hashes for static inline scripts.