CSP for modern web apps

A CSP that survives your bundler, your CDN, and your auth wall.

Single-page apps and modern web apps load chunks at runtime, render through frameworks, and route around static analysis. Consepo runs the site like a real browser does, then writes the policy from what actually executed.

Hand-writing script-src for a Vite or Next.js app is mostly guesswork — async chunks, dynamic imports, and runtime-loaded code aren't visible to source scanners. A rendered crawl maps the directives you actually need, and monitoring covers the routes the crawler can't reach because they're behind a login.

  • Render in Chromium so the policy reflects what your bundle actually loads.
  • Get nonce, hash, and strict-dynamic guidance grounded in your code.
  • Cover authenticated routes with monitoring, not just the public ones.
Run a free scan See plans

Need the standard behind the workflow? Read the W3C CSP Level 3 specification.

Consepo Workflow

App rollout pipeline

  • 1Browser-executed crawl of public routes
  • 2Directive-by-directive review of script and style sources
  • 3Monitoring for authenticated and dynamic flows
  • 4Export targets for Workers, edge functions, and origin servers

Stop guessing about script-src

Modern bundlers split code in ways static analysis can't see. A rendered crawl captures every chunk, vendor library, and CDN origin that actually runs.

Choose nonces, hashes, and strict-dynamic with evidence

Inline patterns, framework injections, and third-party loaders each have different mitigations. Consepo shows what's running so you can pick the right strategy per directive.

Cover the routes a crawler never sees

Authenticated dashboards, settings pages, and personalized views only load their full set of scripts during real sessions. Monitoring catches those without you having to record fixtures.

Workflow

How this fits the Consepo rollout

Step 1

Crawl the public surface in a real browser

Consepo loads each route the way a user does and records every script, style, font, and frame the bundler resolves at runtime.

Step 2

Decide on directive strategies

Pick where nonces, hashes, or strict-dynamic make sense based on the inline and dynamic code your app actually ships.

Step 3

Roll out and monitor authed flows

Deploy in Report-Only, let monitoring watch the rest of the app, then enforce once the production picture stabilizes.

Deliverables

What teams get out of it

  • A CSP rooted in what your bundle and CDN actually load
  • Strategy guidance for nonces, hashes, and strict-dynamic
  • Coverage that extends past the login wall

Next step

Scan the site, review the evidence, and move toward an enforceable CSP.

Consepo is built to help teams go from first crawl to stable policy rollout without guessing which sources belong in the final header.

Create accountBack to overview