Learn
CSP, explained
A working knowledge of Content Security Policy — written for engineering and security teams who want to deploy a strict policy without breaking production.
Articles
Scanner
How our crawler works
How Consepo discovers pages, what our platform does first, which scan controls shape coverage, and why monitoring still matters after the crawl.
Read articleFundamentals
What is a Content Security Policy?
A glossary-style introduction: what CSP is, what attacks it stops, how it's delivered, and why it's worth deploying. Start here if you're new to the topic.
Read articleReference
CSP directive reference
Every directive that matters in real-world policies — fetch, document, navigation, and reporting — with the source-expression tokens you'll use to write them.
Read articleThreat model
Preventing XSS with a Content Security Policy
Reflected, stored, and DOM-based XSS — what each looks like, what CSP catches, and what it doesn't. Includes a strict-CSP starter header.
Read articleStrict CSP
Nonces, hashes, and allowlists
The three ways to allow inline and dynamic scripts under a strict CSP. When each fits, what the tradeoffs are, and what 'strict-dynamic' actually does.
Read articleImplementation
CSP hashes and SRI
A practical guide to the two hash workflows teams confuse most often: inline CSP hashes for fixed markup and SRI for external scripts or stylesheets.
Read articleRollout
Content Security Policy best practices
A practical path for validating, scanning, generating, monitoring, and enforcing a CSP without breaking production.
Read articleDeployment
Report-Only vs. enforcement
The rollout pattern that lets you ship a strict CSP without breaking production. Six steps from first scan to a maintained, enforced policy.
Read article