https://github.com/jacobbednarz/csp-validator
A validator (including best practices) for content security policies
https://github.com/jacobbednarz/csp-validator
Last synced: about 2 months ago
JSON representation
A validator (including best practices) for content security policies
- Host: GitHub
- URL: https://github.com/jacobbednarz/csp-validator
- Owner: jacobbednarz
- License: mit
- Created: 2014-10-10T08:49:11.000Z (over 10 years ago)
- Default Branch: master
- Last Pushed: 2016-08-30T00:30:39.000Z (over 8 years ago)
- Last Synced: 2025-02-27T04:47:39.854Z (2 months ago)
- Language: Ruby
- Size: 125 KB
- Stars: 3
- Watchers: 3
- Forks: 2
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Content security policy validator
While rolling out a content security policy, I failed to find any good validators on the interwebz that managed to pick up things like deprecation warnings and best practices. Here is my solution.
### Installation
git clone [email protected]:jacobbednarz/csp-validator.git
### Usage
The executable accepts either a URL or a string inline. Examples:
```sh
# As an inline string
./validate-csp "default-src *; img-src cdn.domain.com assets.domain.com"
# URL of a page.
./validate-csp http://google.com
```
### Checks
The following checks are run:
- Ensure a 'default-src' is available (for any missing directives).
- Malformed URL's.
- Deprecation of directives.
### Example
$ ./validate-csp http://example.com
[ ✔︎ ] 'default-src' is present.
[ ✔︎ ] 'script-src' was found.
[ ✔︎ ] 'object-src' was found.
[ ✔︎ ] 'img-src' was found.
[ ✔︎ ] 'media-src' was found.
[ ✔︎ ] 'frame-src' was found.
[ ✔︎ ] 'font-src' was found.
[ ✔︎ ] 'frame-ancestors' was found.
[ ✔︎ ] 'connect-src' was found.
[ ✔︎ ] 'style-src' was found.
[ ✻ ] 'frame-src' is being deprecated in favour of 'child-src' - See http://bit.ly/1uTJ3Ye.
[ ✔︎ ] Violation reporting endpoint found.