II.
Workflow overview
Reference · liveworkflow:csp-header-audit
CSP Header Audit overview
Audits Content Security Policy headers across all web properties — scanning for unsafe-inline and unsafe-eval directives, validating nonce/hash integrity, analyzing CSP violation reports for false positives and real threats, testing report-only policies before enforcement, and verifying third-party script allowlists against the current vendor inventory. Excludes general web application penetration testing.
Attributes
displayName
CSP Header Audit
workflowKind
security
triggerType
scheduled
typicalCadence
quarterly
complexity
cross-team
description
Audits Content Security Policy headers across all web properties — scanning
for unsafe-inline and unsafe-eval directives, validating nonce/hash
integrity, analyzing CSP violation reports for false positives and real
threats, testing report-only policies before enforcement, and verifying
third-party script allowlists against the current vendor inventory. Excludes
general web application penetration testing.
Outgoing edges
applies_to_domain2
- domain:web-development·DomainWeb Development
- domain:security·DomainSecurity
involves_role3
- role:security-reviewer·RoleSecurity Reviewer
- role:implementer·RoleImplementer
- role:tech-lead·RoleTech Lead
performed_by_org_unit2
- org-unit:application-security-team·OrgUnitApplication Security Team
- org-unit:frontend-team·OrgUnitFrontend Team
requires_skill_area2
- skill-area:webhook-verification·SkillAreaWebhook Verification
- skill-area:observability-pipeline·SkillAreaObservability Pipeline
triggers_responsibility2
- responsibility:run-security-scans·ResponsibilityRun security scans
- responsibility:security-review·ResponsibilitySecurity review
Incoming edges
None.