Policy Generation

Once you've approved your sources, ScriptAttest can automatically generate a strict, secure Content Security Policy tailored to your site.

How Policy Generation Works

ScriptAttest generates your CSP policy by:

  1. Collecting approved sources - Gathers all domains, hashes, and unsafe directives you've approved
  2. Organizing by directive - Groups sources by CSP directive (script-src, style-src, img-src, etc.)
  3. Applying strict mode - Optionally enforces stricter rules for scripts and styles
  4. Adding report-uri - Includes your ScriptAttest report endpoint for violation monitoring
  5. Formatting the policy - Generates the final CSP header string

Enforcement Mode

All generated policies start in Report-Only mode. In this mode, the browser observes and reports violations but does not block any requests. This lets you safely tune your policy before enabling enforcement.

To switch to Blocking mode, use the enforcement mode toggle in the dashboard CSP tab, or call the switch-mode API endpoint. Switching creates a new policy revision — the policy content is unchanged.

Policy Options

Strict Scripts

When enabled, strict scripts mode:

  • Requires explicit domain approval for all external scripts
  • Blocks scripts from unapproved domains
  • Prevents inline scripts unless explicitly approved via hash

Recommended: Enable this for maximum security, especially for sites handling sensitive data.

Strict Styles

When enabled, strict styles mode:

  • Requires explicit domain approval for all external stylesheets
  • Blocks stylesheets from unapproved domains
  • Prevents inline styles unless explicitly approved via hash

Note: Some CSS-in-JS libraries may require 'unsafe-inline' for styles. Consider this when enabling strict mode.

Auto-Approve First-Party

When enabled, automatically approves all resources from your own domain. This is useful for:

  • Sites with many first-party resources
  • Reducing manual approval work
  • Trusting your own infrastructure

Note: Make sure your domain is correctly configured before enabling this option.

CSP Directives

ScriptAttest generates policies with the following directives:

default-src

Fallback directive for all resource types. Typically set to 'self' to allow same-origin resources.

script-src

Controls which scripts can be executed. Includes:

  • Approved domains for external scripts
  • SHA-256 hashes for approved inline scripts
  • 'unsafe-inline' or 'unsafe-eval' if approved

style-src

Controls which stylesheets can be loaded. Similar to script-src but for CSS.

img-src

Controls which images can be loaded. Includes approved domains for:

  • Image CDNs
  • Tracking pixels
  • External avatars or media

connect-src

Controls which URLs can be loaded via fetch, XHR, WebSocket, etc. Includes:

  • API endpoints
  • WebSocket connections
  • Analytics endpoints

font-src

Controls which fonts can be loaded. Typically includes:

  • Google Fonts
  • Adobe Fonts
  • Self-hosted fonts

Violation Reporting

ScriptAttest automatically adds both reporting directives for maximum browser compatibility:

  • report-to csp-endpoint - For Chrome, Edge, Brave (Reporting API v1)
  • report-uri https://scriptattest.com/api/csp/report/YOUR_TOKEN - For Firefox, Safari
Important: For Chrome/Edge/Brave to send reports, you must also add a Reporting-Endpoints header to your server. See the deployment guide for details.

Policy Modes

Each policy has an enforcementMode field: "report-only" or "enforcing". This determines which HTTP header is used when deploying via ScriptAttest.

Report-Only Mode (enforcementMode: "report-only")

In report-only mode, the CSP policy:

  • Monitors violations but doesn't block resources
  • Allows you to test policies safely
  • Sends violation reports to ScriptAttest

Deployed using the Content-Security-Policy-Report-Only header.

Enforcing Mode (enforcementMode: "enforcing")

In enforcing mode, the CSP policy:

  • Actually blocks violating resources
  • Provides real security protection
  • Still sends violation reports

Deployed using the Content-Security-Policy header.

Warning: Always test in report-only mode first. Enforcing a policy with missing sources will break your site.

Generating a Policy

To generate a policy:

  1. Ensure you've approved all necessary sources
  2. Navigate to the CSP Management tab
  3. Configure policy options (strict mode, auto-approve, etc.)
  4. Click Generate Policy
  5. Review the generated policy
  6. Copy the policy string for deployment

Policy Format

Generated policies follow the standard CSP format: 

default-src 'self'; script-src 'self' 'sha256-...' https://cdn.example.com; style-src 'self' https://fonts.googleapis.com; img-src 'self' data: https://*.example.com; connect-src 'self' https://api.example.com; font-src 'self' https://fonts.gstatic.com; report-uri https://scriptattest.com/api/csp/report/TOKEN

Updating Policies

When you approve or reject new sources, you'll need to regenerate your policy. ScriptAttest maintains a history of all generated policies, so you can:

  • View previous policy versions
  • Restore a previous policy if needed
  • Compare policy changes

Best Practices

  • Start with report-only - Deploy in report-only mode first to catch issues
  • Enable strict mode - Use strict scripts and styles for better security
  • Review before deploying - Check the generated policy makes sense
  • Test thoroughly - Use validation scans before enforcing
  • Keep policies updated - Regenerate when adding new features

Next Steps

After generating your policy:

  1. Validate the policy against your live site
  2. Deploy the policy to your server
  3. Monitor violations and refine as needed