csp

CSP Badge

Security Matters

^{Social Media Photo by Franck on Unsplash}

This repository exists only to allow other repositories to add a badge about the CSP state of the module, library, or helper.

The offered SVG images are the following:

suitable for projects that don’t use eval or Function or scripts served as Blob, hence don’t ever need any particular CSP rule
suitable for projects that might need particular CSP rules to fully work as expected
for all projects humble enough to declare such project is everything but secure, and inform users about the risk they might have if such project is used in production

CSP strict

The project does not need any specific CSP configuration because it does not include, use, or inject, any Function, eval, or other workarounds to evaluate anything at all, hence the security is granted to be the best possible.

CSP friendly

The project might need some specific CSP configuration, because it could need to use Function, eval, or any other workaround to evaluate code at runtime, hence security needs to be considered, and best practices followed.

CSP hostile

The project shamelessly needs, use, or pollute the running software, with Function, eval, or any other workaround to evaluate code at runtime, so that even CSP might not be enough to grant a secure execution of the program.

How to include

If your project would like to inform its users about its CSP compliancy, you can add one of these badges on top of your GitHub, GitLab, or any other service, so that it’ll be instantly visible:

Markdown - Basic

![CSP strict](https://webreflection.github.io/csp/strict.svg)
![CSP friendly](https://webreflection.github.io/csp/friendly.svg)
![CSP hostile](https://webreflection.github.io/csp/hostile.svg)

Markdown - Informative

[![CSP strict](https://webreflection.github.io/csp/strict.svg)](https://webreflection.github.io/csp/#-csp-strict)
[![CSP friendly](https://webreflection.github.io/csp/friendly.svg)](https://webreflection.github.io/csp/#-csp-friendly)
[![CSP hostile](https://webreflection.github.io/csp/hostile.svg)](https://webreflection.github.io/csp/#-csp-hostile)

HTML - Basic

<img alt="CSP strict" src="https://webreflection.github.io/csp/strict.svg">
<img alt="CSP friendly" src="https://webreflection.github.io/csp/friendly.svg">
<img alt="CSP hostile" src="https://webreflection.github.io/csp/hostile.svg">

HTML - Informative

<a href="https://webreflection.github.io/csp/#-csp-strict">
  <img alt="CSP strict" src="https://webreflection.github.io/csp/strict.svg">
</a>
<a href="https://webreflection.github.io/csp/#-csp-friendly">
  <img alt="CSP friendly" src="https://webreflection.github.io/csp/friendly.svg">
</a>
<a href="https://webreflection.github.io/csp/#-csp-hostile">
  <img alt="CSP hostile" src="https://webreflection.github.io/csp/hostile.svg">
</a>