Sign In Get Started

security

sec-csp-generate Edge Function — Security

Security

Generates a Content-Security-Policy header value from a structured directives object — supports report-only mode and report-uri.

@navin verified

• Updated Mar 12, 2026

Edge function sec-csp-generate Generates a Content-Security-Policy header value from a structured directives object — supports report-only mode and report-uri.. Deployed on Cloudflare Workers — zero cold starts, globally distributed. Mount it via your Aerostack workspace to call it from any AI agent.

terminal — aerostack cli

$


npx aerostack add  navin/sec-csp-generate

smart_toy

Use with AI Assistants

MCP

Connect Claude, Cursor, or any MCP-compatible client — then call this function by slug

① Add MCP Server

Add this once — access all Aerostack functions from your AI tool.

claude_desktop_config.json

{
  "mcpServers": {
    "aerostack": {
      "url": "https://mcp.aerostack.dev",
      "type": "http"
    }
  }
}

② Call this function

Ask your AI to use the call_function tool with this slug:

call_function

call_function({
  slug: "sec-csp-generate",
  args: {
    "directives": null,
    "reportUri": "example_reportUri",
    "reportOnly": false
  }
})

sec-csp-generate — Build Content-Security-Policy headers

Converts a structured CSP directives object into a ready-to-use Content-Security-Policy header string. Supports report-only mode and violation reporting endpoints.

API

`POST /api/sec-csp-generate`

Request body

Field	Type	Required	Default	Description
`directives`	Record<string, string[]>	✅	—	CSP directive names mapped to arrays of source values
`reportUri`	string	❌	—	URL for CSP violation reports
`reportOnly`	boolean	❌	`false`	Use report-only mode (no blocking)

Success response (200)

{
  "success": true,
  "data": {
    "header": "default-src 'self'; script-src 'self' https://cdn.example.com",
    "headerName": "Content-Security-Policy"
  }
}

Error responses

Code	HTTP	When
`INVALID_INPUT`	400	Missing or invalid directives
`INTERNAL_ERROR`	500	Unexpected error

Usage

cURL

curl -X POST "$FUNCTION_URL" \
  -H "Content-Type: application/json" \
  -d '{
    "directives": {
      "default-src": ["'\''self'\''"],
      "script-src": ["'\''self'\''", "https://cdn.example.com"],
      "img-src": ["*"]
    }
  }'

TypeScript / JavaScript (HTTP)

const response = await fetch(FUNCTION_URL, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    directives: {
      'default-src': ["'self'"],
      'script-src': ["'self'", 'https://cdn.example.com'],
      'object-src': ["'none'"],
    },
    reportUri: 'https://csp.report/my-project',
  }),
});
const { data } = await response.json();
res.setHeader(data.headerName, data.header);

Direct import (Node / Bun / Deno)

import { generateCsp } from '@aerostack/functions/sec-csp-generate';

const { header, headerName } = generateCsp({
  directives: {
    'default-src': ["'self'"],
    'script-src': ["'self'", 'https://cdn.example.com'],
  },
});
response.headers.set(headerName, header);

Use Cases

Generating CSP headers dynamically per-tenant based on their configured CDN/script sources
Validating a CSP configuration before deploying it (use report-only first)
Building a CSP middleware factory that reads from config and sets headers on every response
Generating environment-specific CSP headers (stricter in production, looser in dev)

Notes

Directive names are lowercased automatically
Flag directives (no values) like upgrade-insecure-requests — pass an empty array []
Common source values: 'self', 'none', 'unsafe-inline', 'unsafe-eval', https:, data:
The report-only mode is useful for testing a new policy without breaking anything

Metadata

upgrade Version 1.0.0

gavel License MIT

language Language typescript

cloud Provider aerostack

Tags

security

Publisher

@navin verified

deployed_code

Build and publish your own functions

Write a TypeScript function, deploy it to the edge, and share it with thousands of developers — in minutes.

Publish a Function → Read the docs

More Security Functions

Browse Security Functions →

sec-api-key-generate

by @navin

Generates a cryptographically random API key with a custom prefix using a base62 alphabet — no ambiguous characters, URL-safe.

sec-cors-validate

by @navin

Validates a request Origin against an allow list and returns the correct CORS response headers to set — supports wildcards and credentials.

sec-decrypt-aes

by @navin

Decrypts an AES-256-GCM encrypted bundle produced by sec-encrypt-aes — key is derived via SHA-256, auth tag is verified automatically.

sec-encrypt-aes

by @navin

Encrypts a string with AES-256-GCM using Web Crypto — key is derived via SHA-256, output is a portable IV:ciphertext bundle.

sec-hash-sha256

by @navin

Hashes a string using SHA-256 via the Web Crypto API. Supports hex and base64 output. Zero dependencies.

sec-hmac-sign

by @navin

Signs a string payload with HMAC-SHA256 or HMAC-SHA512 using Web Crypto — outputs a hex-encoded signature.

Frequently asked questions

What does the sec-csp-generate function do? +

sec-csp-generate is a serverless edge function for security automation written in aerostack. Deploy it to Cloudflare Workers via your Aerostack workspace.

How do I deploy the sec-csp-generate function? +

Install the Aerostack CLI and run: ```bash aerostack deploy function @navin/sec-csp-generate ``` It will be live on Cloudflare Workers in seconds.

What runtime does sec-csp-generate use? +

sec-csp-generate runs on aerostack on the Cloudflare Workers edge runtime — zero cold starts, globally distributed.

Can I customise the sec-csp-generate function? +

Yes. Fork the function from your Aerostack dashboard, modify the source, and redeploy. All changes are version-controlled.