Security
Security notes
cspresso runs a real browser. That’s the point - and also the main safety consideration.
What cspresso does
cspresso launches Chromium via Playwright and loads your target pages. The site’s JavaScript and CSS execute like a normal browser session. Network requests are observed to build a draft CSP, and (optionally) a candidate policy is injected as Report‑Only to capture violations.
About --bypass-csp
It can change risk
Bypassing CSP strips existing CSP headers on HTML responses. This option is provided in order to avoid the outcome of the rendering negatively influencing what cspresso thinks a good CSP should be.
If a site is compromised, CSP might have been limiting what injected scripts could do (that's the whole point of a CSP!); bypassing removes that layer.
Recommendation: only use
--bypass-csp on sites you trust, or run cspresso inside a sandboxed environment (VM/container).
Data handling
cspresso’s primary output is a policy string and metadata (visited URLs, notes, and - in evaluation mode - detected violations). Treat the output as sensitive if your site URLs or CSP reveal internal endpoints.
Hardening tips
Prefer CI / disposable environments
Running in CI makes it easy to isolate and to cache Chromium via
--browsers-path.Limit crawl scope
Keep
--max-pages small and start from a stable landing page to reduce surprises.Review before enforcing
cspresso emits a draft. Tighten directives (especially
script-src/connect-src) and consider nonces.Verify releases