CSP headers are one of those things that look simple until you actually audit them. The bypass detection is the useful part — I've seen plenty of Laravel apps with a CSP that looks reasonable until you notice it allows unsafe-inline because someone needed a quick fix three years ago and nobody noticed.
Does it handle report-uri vs report-to differences? The migration between those two has caught a few teams I've worked with off guard.
alt Hacker News
CSP headers are one of those things that look simple until you actually audit them. The bypass detection is the useful part — I've seen plenty of Laravel apps with a CSP that looks reasonable until you notice it allows unsafe-inline because someone needed a quick fix three years ago and nobody noticed. Does it handle report-uri vs report-to differences? The migration between those two has caught a few teams I've worked with off guard.