Security Plugins Hub

Bring your software development workflows to security


Content Security Policy


Signals & Triggers

On request


  • Set the header Set the header


A Content Security Policy (CSP) is based on a powerful HTTP header that restricts the browser to loading external assets such as scripts, styles or media. Enforcing a CSP can protect your app from Cross Site Scripting (XSS), clickjacking and other code injection attacks.

The CSP lists all the authorized domains and resources your app is allowed to use (web workers, image, font, media, scripts, frames, stylesheets). Thus, if a user loads a page where an attacker has injected a malicious resource, the browser will load your page, but prevent the attacker’s resource from loading.

A CSP is a very powerful protection but can be hard to manage at scale.

This plugin helps you to craft and deploy a strong CSP by listing and filtering all the domains seen from your traffic and maintaining it by notifying you when new domain try to load resources. Once enabled, it will automatically set the Content-Security-Policy-Report-Only or Content-Security-Policy HTTP header, depending on which mode you enabled (reporting or blocking).

Advanced details

For each violation report, the domain is matched with internal blacklists to exclude non legit domains.

Based on the whitelisted domains and their category (script, connection source, media, etc), the right policy is generated. You can also add domain manually anytime.

Language support

  • Ruby
  • Node.js
  • PHP
  • Python
  • Java

Data collected by Sqreen

  • CSP violations report

On attack

Built for developers and modern apps

Get up and running in minutes just by installing our lightweight library. Enable plugins in just a couple of clicks.

  • Ruby
  • Node.js
  • PHP
  • Python
  • Java
  • Go
  • .net
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

$ echo "gem 'sqreen'" >> Gemfile

$ bundle install

$ echo "token: your token" > config/sqreen.yml

$ npm install --save sqreen

$ echo '{ "token": "your token" }' > sqreen.json

$ curl -s > && bash your token

$ pip install sqreen

$ echo -e "[sqreen]\ntoken: your token" > sqreen.ini

$ curl -o sqreen.jar

Request your beta access for the Go agent Request beta
Get notified when the .net agent releases Notify me

Build amazing products. Keep them safe.

5 min installation · Try all features for 14 days · No credit card required Sign up Request demo