A CSP that blocks Microsoft Clarity silently in production is a silent data leak. A CSP with unsafe-inline is security theater. The ten tools below are how I stopped shipping both.
Why eleven tools, not just "run Mozilla Observatory"
Observatory gives you a letter grade. It doesn't tell you:
- Whether your CSP nonces actually cover every inline script.
- Whether scripts loaded on the page are in your allowlist.
- Whether your Trusted Types policy covers every DOM sink.
- Whether your CORS endpoint leaks credentials on ACAO echo-back.
- Whether the page leaks an AWS key in a JS bundle.
Each of those is a specific production failure mode. Each gets its own tool.
1. CSP Strictness Audit
Parses every directive, checks nonce/hash coverage, strict-dynamic adoption, unsafe-inline presence, wildcard source lists, frame-ancestors, base-uri, object-src 'none', Trusted Types directive, and report endpoint. Produces a 0-95 strictness score.
2. CSP Allowlist Completeness
Cross-references every loaded script, stylesheet, iframe, and image against the corresponding CSP directive. Flags the exact host that's blocked. Built after the fixes2.txt audit showed scripts.clarity.ms was being dropped because I'd allowlisted www.clarity.ms instead.
3. Trusted Types Audit
Checks for require-trusted-types-for in the CSP, scans page source for dangerous DOM sinks (innerHTML, outerHTML, insertAdjacentHTML, document.write, eval, new Function, setTimeout-with-string, Range.createContextualFragment), counts policies defined via trustedTypes.createPolicy(), and detects DOMPurify usage. Scores readiness 0-100.
4. Reporting API Audit
Checks Report-To, Reporting-Endpoints (v2), and NEL response headers. Verifies CSP wires report-to csp-endpoint. Without a reporting endpoint, CSP + COEP violations are invisible. Scores coverage 0-70.
5. Subresource Integrity (SRI) Audit
Every cross-origin <script src> or <link rel=stylesheet> without an integrity= hash is a supply-chain risk. The audit calculates coverage %, flags weak hashes (sha1, md5), checks crossorigin is paired with integrity, and specifically calls out known high-risk CDN hosts (cdnjs, jsdelivr, unpkg, ajax.googleapis.com).
6. CORS Headers Audit
Flags the classic CORS misuse: Access-Control-Allow-Origin: * with Allow-Credentials: true, ACAO: null, missing Vary: Origin when ACAO is dynamic, wildcard Allow-Methods, missing Max-Age, missing Timing-Allow-Origin.
7. Cross-Origin Isolation Audit
Checks COOP + COEP + CORP headers. SharedArrayBuffer, high-res timers, and WASM threads require crossOriginIsolated === true, which requires COOP: same-origin + COEP: require-corp (or credentialless). The audit verifies the isolation state.
8. API Secret Leakage Audit
Scans HTML and JS for 23 secret patterns: AWS access keys (AKIA...), Stripe live secrets (sk_live_...), Twilio tokens, OpenAI keys (sk-...), Anthropic keys (sk-ant-...), GitHub PATs (ghp_...), Slack tokens (xox...), JWTs, PEM private keys, SendGrid, Mailgun, Algolia admin, Mapbox private tokens, npm tokens. Every hit is assumed rotated-now.
9. Inline Event Handler Audit
Scans the DOM for onclick/onchange/onsubmit/onerror/onmouseover and 20+ other inline event attributes, plus javascript: URLs in <a href> and <form action>, plus inline <script> blocks, plus document.write and eval usage. Each is a CSP blocker. Without removing these, strict CSP is impossible.
10. Mixed Content Audit
Scans for http:// references in script, img, link, iframe, video, audio, source, object, embed, form action, inline <style> url(), and srcset. Classifies each as active (blocked by browser) or passive (browser warning). Checks upgrade-insecure-requests CSP directive.
Plus: Mega Security Analyzer
The orchestrator that covers TLS cipher + PQC hybrid KEX + DNS email auth + MITRE ATT&CK + CWE + OWASP Top 10 + SANS Top 25 — 7 layers in a single pass. It was v1 before this batch. The new tools are now specialist deep-links from it.
The jwatte.com CSP after this audit round
default-src 'self';
script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com https://www.clarity.ms https://scripts.clarity.ms;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com;
img-src 'self' data: https:;
connect-src 'self' https://www.google-analytics.com https://analytics.google.com https://www.clarity.ms https://clarity.ms https://c.clarity.ms https://www.googleapis.com;
frame-ancestors 'self';
base-uri 'self';
object-src 'none';
upgrade-insecure-requests
Plus Cross-Origin-Opener-Policy: same-origin-allow-popups and Cross-Origin-Resource-Policy: same-site on all responses.
Not yet strict — still has unsafe-inline for script. The migration to nonces + strict-dynamic is the next project. The audit tools above are how I'll verify the migration works without breaking analytics.
Related reading
- Mega Security Analyzer — 7-layer security audit orchestrator
- Modern Security Headers — what goes where and why
- Post-Quantum Crypto — PQC hybrid KEX readiness
- Lighthouse fixes story — the real jwatte.com audit round
Fact-check notes and sources
- CSP Level 3 spec: W3C Content Security Policy Level 3.
- Trusted Types spec: W3C Trusted Types.
- Reporting API spec: W3C Reporting API.
- Subresource Integrity: W3C SRI.
- CORS spec: Fetch Standard § CORS protocol.
- Secret pattern formats: AWS IAM docs, Stripe API reference, GitHub token format docs, OpenAI API key format.
This post is informational, not security-consulting, legal, or compliance advice. Mentions of Google, Microsoft Clarity, Cloudflare, AWS, Stripe, Twilio, OpenAI, Anthropic, GitHub, Slack, Mapbox, Algolia, and similar products are nominative fair use. No affiliation is implied. Run scans only on sites you own or have explicit written authorization to test; unauthorized scanning may violate 18 U.S.C. § 1030 or equivalent local law.
