Astro Security
Agent Workflow (MANDATORY)
Before ANY implementation, use TeamCreate to spawn 3 agents:
- •fuse-ai-pilot:explore-codebase - Analyze existing security config, adapters, headers
- •fuse-ai-pilot:research-expert - Verify latest Astro 6 CSP docs via Context7/Exa
- •mcp__context7__query-docs - Check CSP compatibility with deployment adapter
After implementation, run fuse-ai-pilot:sniper for validation.
Overview
When to Use
- •Enabling CSP in an Astro 6 project (stable in v6.0.0)
- •Configuring
security.cspinastro.config.mjs - •Adding SHA-256/384/512 hashes for external scripts or styles
- •Using nonces for dynamic script injection
- •Setting up
experimentalStaticHeadersfor adapter-based CSP headers
CSP in Astro 6
Astro 6 ships Content Security Policy as a stable feature (previously experimental). When enabled:
- •Astro automatically generates SHA hashes for all bundled scripts and styles
- •Injects a
<meta http-equiv="content-security-policy">in each page's<head> - •Supports
script-srcandstyle-srcdirectives by default
Limitations:
- •Not supported in
devmode — test withbuild+preview - •External scripts and styles require manual hash configuration
- •Incompatible with
<ClientRouter />view transitions (use native View Transition API) - •Shiki syntax highlighter (inline styles) not currently supported
Reference Guide
Concepts
| Topic | Reference | When to Consult |
|---|---|---|
| CSP overview | csp-overview.md | Understanding CSP in Astro 6 |
| Configuration | csp-config.md | All config options |
| Script directive | script-directive.md | script-src configuration |
| Style directive | style-directive.md | style-src configuration |
| Nonces | nonces.md | Dynamic script injection |
| Static headers | static-headers.md | Adapter-based CSP headers |
Templates
| Template | When to Use |
|---|---|
| csp-basic.md | Basic CSP enable with algorithm |
| csp-advanced.md | Full config with directives + static headers |
Best Practices
- •Always test with build + preview — CSP is inactive in dev mode
- •Start with SHA-512 — strongest hash algorithm
- •Use
'self'explicitly — not included by default in resources - •Hash external scripts manually — compute SHA hashes for CDN resources
- •Combine with adapter headers — use
experimentalStaticHeadersfor Vercel/Netlify
Forbidden
- •Testing CSP in
devmode (doesn't work — always usebuild + preview) - •Using
<ClientRouter />with CSP enabled - •Forgetting to add
'self'when usingresourcesarray - •Adding
unsafe-inline(defeats purpose of CSP)