Content-Security-Policy Builder & Linter
Web Security / Hardening
Instant

Content-Security-Policy Builder & Linter

Freebugcircuit-csp.zip · 35 KB · v1.0.0

Audit any Content-Security-Policy for weaknesses, or generate a hardened one from a one-line config - offline, in seconds.

bugcircuit-csp is a single-file, zero-dependency command-line tool that helps you get your Content-Security-Policy right. A misconfigured CSP is one of the most common web-hardening mistakes: unsafe-inline left in, a stray * wildcard, http: sources that invite tampering, or a missing base-uri/frame-ancestors that quietly leaves you open to <base> hijacking and clickjacking. This tool catches all of that.

The lint command parses a policy - from a flag, a file, or piped straight out of curl - and reports every weakness with a severity (CRITICAL down to INFO), a plain-English explanation of *why* it matters, and a concrete fix. The build command goes the other way: give it a friendly config like script=self,cdn.example.com and it emits a hardened policy with a sensible locked-down baseline (object-src 'none', base-uri 'none', frame-ancestors 'none', form-action 'self'), a matching Report-Only variant for safe rollout, and nonce placeholders with guidance on wiring them up per response. Add --json to either command to drop it straight into CI.

It runs anywhere Python 3.8+ runs - Windows, macOS, Linux - with nothing to install and no network calls whatsoever. Everything happens locally on policy text you provide. It is strictly an auditing and authoring aid for your own sites: no scanning, no exploitation, no traffic. Download it, run it, ship a tighter header. Brought to you free by Bug Circuit.

How to use

  • Confirm Python 3.8+ is installed: run python3 --version (use python on Windows).
  • Download bugcircuit-csp.py - no pip install, no dependencies, it runs as-is.
  • Audit an existing policy: python3 bugcircuit-csp.py lint --policy "<your CSP>" or pipe one in from curl.
  • Read the findings: each is tagged with a severity, the offending directive, why it is risky, and how to fix it.
  • Generate a hardened header: python3 bugcircuit-csp.py build --set script=self,cdn.example.com --set style=self.
  • Roll out safely by deploying the Report-Only variant first, then switch to the enforcing header once reports are clean. Add --json for CI pipelines.

Example commands

python3 bugcircuit-csp.py lint --policy "default-src 'self'; script-src 'unsafe-inline' *"
python3 bugcircuit-csp.py lint --file mysite-csp.txt --json
curl -sI https://your-site.example | grep -i content-security-policy | python3 bugcircuit-csp.py lint
python3 bugcircuit-csp.py build --set script=self,cdn.example.com --set style=self --set img=self,data:
python3 bugcircuit-csp.py build --config csp.conf --output headers.txt
python3 bugcircuit-csp.py lint --file report-only.txt --report-only

Free · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.

Download free

Downloads are free. You’ll sign in to a free store account (any email — takes 10 seconds) so you can re-download any time from your account.

Free & open — runs on your machineRe-download any time Real human support

Something not right with your order? Email [email protected] — the same team that runs our security audits makes it right.