# Every new security audit tool I built this month, and the CSP that doesn't block Clarity

CSP strictness, Trusted Types, Reporting API, SRI, CORS depth, COOP/COEP, secret leakage, inline event handlers, mixed content, CSP allowlist completeness — what each one catches and why I needed it.

Author: J.A. Watte
Published: April 22, 2026
Source: https://jwatte.com/blog/blog-new-security-audit-tools-2026/

---

A CSP that blocks Microsoft Clarity silently in production is a silent data leak. A CSP with `unsafe-inline` is security theater. The ten tools below are how I stopped shipping both.

## Why eleven tools, not just "run Mozilla Observatory"

Observatory gives you a letter grade. It doesn't tell you:

- Whether your CSP nonces actually cover every inline script.
- Whether scripts loaded on the page are in your allowlist.
- Whether your Trusted Types policy covers every DOM sink.
- Whether your CORS endpoint leaks credentials on ACAO echo-back.
- Whether the page leaks an AWS key in a JS bundle.

Each of those is a specific production failure mode. Each gets its own tool.

## 1. [CSP Strictness Audit](/tools/csp-strictness-audit/)

Parses every directive, checks nonce/hash coverage, `strict-dynamic` adoption, `unsafe-inline` presence, wildcard source lists, `frame-ancestors`, `base-uri`, `object-src 'none'`, Trusted Types directive, and report endpoint. Produces a 0-95 strictness score.

## 2. [CSP Allowlist Completeness](/tools/csp-allowlist-completeness-audit/)

Cross-references every loaded script, stylesheet, iframe, and image against the corresponding CSP directive. Flags the exact host that's blocked. Built after the the Lighthouse audit audit showed `scripts.clarity.ms` was being dropped because I'd allowlisted `www.clarity.ms` instead.

## 3. [Trusted Types Audit](/tools/trusted-types-audit/)

Checks for `require-trusted-types-for` in the CSP, scans page source for dangerous DOM sinks (innerHTML, outerHTML, insertAdjacentHTML, document.write, eval, new Function, setTimeout-with-string, Range.createContextualFragment), counts policies defined via `trustedTypes.createPolicy()`, and detects DOMPurify usage. Scores readiness 0-100.

## 4. [Reporting API Audit](/tools/reporting-api-audit/)

Checks `Report-To`, `Reporting-Endpoints` (v2), and `NEL` response headers. Verifies CSP wires `report-to csp-endpoint`. Without a reporting endpoint, CSP + COEP violations are invisible. Scores coverage 0-70.

## 5. [Subresource Integrity (SRI) Audit](/tools/subresource-integrity-audit/)

Every cross-origin `<script src>` or `<link rel=stylesheet>` without an `integrity=` hash is a supply-chain risk. The audit calculates coverage %, flags weak hashes (sha1, md5), checks `crossorigin` is paired with `integrity`, and specifically calls out known high-risk CDN hosts (cdnjs, jsdelivr, unpkg, ajax.googleapis.com).

## 6. [CORS Headers Audit](/tools/cors-headers-audit/)

Flags the classic CORS misuse: `Access-Control-Allow-Origin: *` with `Allow-Credentials: true`, ACAO: null, missing `Vary: Origin` when ACAO is dynamic, wildcard Allow-Methods, missing Max-Age, missing Timing-Allow-Origin.

## 7. [Cross-Origin Isolation Audit](/tools/cross-origin-isolation-audit/)

Checks COOP + COEP + CORP headers. SharedArrayBuffer, high-res timers, and WASM threads require `crossOriginIsolated === true`, which requires `COOP: same-origin` + `COEP: require-corp` (or `credentialless`). The audit verifies the isolation state.

## 8. [API Secret Leakage Audit](/tools/api-secret-leakage-audit/)

Scans HTML and JS for 23 secret patterns: AWS access keys (AKIA...), Stripe live secrets (sk_live_...), Twilio tokens, OpenAI keys (sk-...), Anthropic keys (sk-ant-...), GitHub PATs (ghp_...), Slack tokens (xox...), JWTs, PEM private keys, SendGrid, Mailgun, Algolia admin, Mapbox private tokens, npm tokens. Every hit is assumed rotated-now.

## 9. [Inline Event Handler Audit](/tools/inline-event-handler-audit/)

Scans the DOM for onclick/onchange/onsubmit/onerror/onmouseover and 20+ other inline event attributes, plus `javascript:` URLs in `<a href>` and `<form action>`, plus inline `<script>` blocks, plus document.write and eval usage. Each is a CSP blocker. Without removing these, strict CSP is impossible.

## 10. [Mixed Content Audit](/tools/mixed-content-audit/)

Scans for `http://` references in script, img, link, iframe, video, audio, source, object, embed, form action, inline `<style>` `url()`, and srcset. Classifies each as active (blocked by browser) or passive (browser warning). Checks `upgrade-insecure-requests` CSP directive.

## Plus: [Mega Security Analyzer](/tools/mega-security-analyzer/)

The orchestrator that covers TLS cipher + PQC hybrid KEX + DNS email auth + MITRE ATT&CK + CWE + OWASP Top 10 + SANS Top 25 — 7 layers in a single pass. It was v1 before this batch. The new tools are now specialist deep-links from it.

## The jwatte.com CSP after this audit round

```
default-src 'self';
script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com https://www.clarity.ms https://scripts.clarity.ms;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com;
img-src 'self' data: https:;
connect-src 'self' https://www.google-analytics.com https://analytics.google.com https://www.clarity.ms https://clarity.ms https://c.clarity.ms https://www.googleapis.com;
frame-ancestors 'self';
base-uri 'self';
object-src 'none';
upgrade-insecure-requests
```

Plus `Cross-Origin-Opener-Policy: same-origin-allow-popups` and `Cross-Origin-Resource-Policy: same-site` on all responses.

Not yet strict — still has `unsafe-inline` for script. The migration to nonces + `strict-dynamic` is the next project. The audit tools above are how I'll verify the migration works without breaking analytics.

## Related reading

- [Mega Security Analyzer](/tools/mega-security-analyzer/) — 7-layer security audit orchestrator
- [Modern Security Headers](/blog/blog-modern-security-headers/) — what goes where and why
- [Post-Quantum Crypto](/blog/blog-tool-pqc-analyzer/) — PQC hybrid KEX readiness
- [Lighthouse fixes story](/blog/blog-lighthouse-taught-me-five-new-tools/) — the real jwatte.com audit round

## Fact-check notes and sources

- **CSP Level 3 spec:** [W3C Content Security Policy Level 3](https://www.w3.org/TR/CSP3/).
- **Trusted Types spec:** [W3C Trusted Types](https://www.w3.org/TR/trusted-types/).
- **Reporting API spec:** [W3C Reporting API](https://www.w3.org/TR/reporting-1/).
- **Subresource Integrity:** [W3C SRI](https://www.w3.org/TR/SRI/).
- **CORS spec:** [Fetch Standard § CORS protocol](https://fetch.spec.whatwg.org/#http-cors-protocol).
- **Secret pattern formats:** AWS IAM docs, Stripe API reference, GitHub token format docs, OpenAI API key format.

_This post is informational, not security-consulting, legal, or compliance advice. Mentions of Google, Microsoft Clarity, Cloudflare, AWS, Stripe, Twilio, OpenAI, Anthropic, GitHub, Slack, Mapbox, Algolia, and similar products are nominative fair use. No affiliation is implied. Run scans only on sites you own or have explicit written authorization to test; unauthorized scanning may violate 18 U.S.C. § 1030 or equivalent local law._


---

Canonical HTML: https://jwatte.com/blog/blog-new-security-audit-tools-2026/
RSS: https://jwatte.com/feed.xml
JSON Feed: https://jwatte.com/feed.json
Hero image: https://jwatte.com/images/blog-new-security-audit-tools-2026.webp