HashCSP is a powerful Python tool designed to generate and validate Content Security Policy (CSP) headers for web applications. It helps developers secure their websites by creating comprehensive CSP headers that mitigate risks like Cross-Site Scripting (XSS) by specifying trusted sources for scripts, styles, and other resources.
- Generate CSP Headers: Scan local HTML files to generate CSP headers with:
- Hashes for inline scripts and styles
- External resource tracking
- Smart directive management
- Validate CSP Headers: Compare existing CSP headers against scanned resources with:
- Detailed mismatch reports
- Hash and link difference metrics
- Suggestions for updates
- Remote Site Analysis:
- Fetch and analyze remote websites using Playwright
- Support for dynamic content and JavaScript execution
- Multiple interaction levels (none, basic scrolling, advanced clicking/hovering)
- Smart retry logic for reliability
- Dynamic Content Handling:
- Capture dynamically inserted scripts and styles
- Track network requests in real-time
- Adaptive waiting based on DOM mutations
- Late-loaded resource hashing
- Rich CLI Interface:
- Colored output with progress indicators
- Detailed error reporting
- Dry-run mode for preview
- Verbose and silent modes
- Comprehensive Logging:
- Structured JSON logging
- Configurable log levels and formats
- Detailed error context
- Audit trail for debugging
- Python 3.12 or higher
- Poetry for dependency management
-
Clone the repository:
git clone https://github.com/Ameen-AB/HashCSP.git cd HashCSP -
Install with Poetry:
poetry install eval $(poetry env activate) # To activate poetry environment
-
Install Playwright browsers (required for remote site analysis):
playwright install
Build:
docker-compose buildRun:
docker-compose run --rm hashcsp --helpHashCSP provides three main commands: generate, validate, and fetch.
Generate a CSP header by scanning local HTML files:
hashcsp generate -p ./publicOptions:
-p/--path: Directory containing HTML files (required)-o/--output: Output file (defaults tocsp.conf)-d/--directives: Add custom directives (e.g.,script-src:'self' https://example.com)-f/--directives-file: Load directives from JSON file--json-output: Output in JSON format--lint: Check for unsafe sources--dry-run: Preview without writing to disk
Compare an existing CSP header against current resources:
hashcsp validate -p ./public -f csp.confOptions:
-p/--path: Directory containing HTML files (required)-f/--file: Existing CSP header file (required)
Fetch and analyze a remote website:
hashcsp fetch -u https://example.com --interaction-level 2 --wait 5 --compareOptions:
-u/--url: Website URL (required)-o/--output: Output file (defaults tocsp.conf)-w/--wait: Wait time for resources in seconds (default: 2)--compare: Compare with site's existing CSP-i/--interaction-level: User interaction simulation:0: No interaction (default)1: Basic scrolling2: Advanced clicking/hovering
-r/--retries: Number of retry attempts (default: 2)--dry-run: Preview mode
Configure logging behavior through environment variables:
LOG_LEVEL: Set logging level (DEBUG, INFO, WARNING, ERROR, CRITICAL)LOG_FORMAT: Choose output format (json, console)LOG_FILE: Specify log file pathLOG_MAX_BYTES: Maximum log file sizeLOG_BACKUP_COUNT: Number of backup files to keep
Example:
export LOG_FORMAT=json
export LOG_LEVEL=INFO
hashcsp generate -p ./publicCreate a hashcsp.json file to define default CSP directives:
{
"directives": {
"default-src": ["'self'"],
"script-src": ["'self'", "https://trusted.com"],
"style-src": ["'self'"]
}
}- Fork the repository
- Install development dependencies:
poetry install --with dev
- Run tests:
poetry run pytest
- Ensure code quality:
poetry run ruff check . poetry run black . poetry run isort . poetry run mypy hashcsp
- Submit a pull request
HashCSP is licensed under the MIT License. See the LICENSE file for details.
See ROADMAP.md for upcoming features and development plans.