cspresso

Turn real page loads into a CSP you can ship

cspresso crawls same-origin pages with headless Chromium (Playwright), watches the assets that load, and emits a draft Content-Security-Policy header.

Visit cspresso.cafe Repo

$ pipx install cspresso
$ cspresso https://example.com --max-pages 10

Why it exists

CSP is powerful but notoriously fiddly. cspresso automates the "observe what loads" part by letting a real browser execute the app and then distilling observed origins into CSP directives.

It can help with

Discovering which origins your app actually depends on
Drafting a baseline policy for review
Evaluating candidates as Report-Only and failing CI on violations

Links

Website / docs
Source repo
PyPI

Need a CSP rollout?

I can help you roll out CSP safely with monitoring, reporting, and staged enforcement.

Contact me