Skill

astro-security

Use when configuring Content Security Policy (CSP) in Astro 6, setting security headers, managing script/style hashes, using nonces, or implementing experimentalStaticHeaders for adapter deployments.

From fuse-astro

Install

Run in your terminal

npx claudepluginhub fusengine/agents --plugin fuse-astro

Tool Access

This skill uses the workspace's default tool permissions.

Supporting Assets

View in Repository

references/csp-config.md

references/csp-overview.md

references/nonces.md

references/script-directive.md

references/static-headers.md

references/style-directive.md

references/templates/csp-advanced.md

references/templates/csp-basic.md

Skill Content

Similar Skills

cache-components

Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.

cache-components

138.6k

claude-opus-4-5-migration

2 files

Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.

claude-opus-4-5-migration

83.2k

evaluation-methodology

1 file

Details PluginEval's skill quality evaluation: 3 layers (static, LLM judge), 10 dimensions, rubrics, formulas, anti-patterns, badges. Use to interpret scores, improve triggering, calibrate thresholds.

plugin-eval

32.9k

Stats

Parent Repo Stars4

Parent Repo Forks0

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Astro Security

Agent Workflow (MANDATORY)

Before ANY implementation, use TeamCreate to spawn 3 agents:

fuse-ai-pilot:explore-codebase - Analyze existing security config, adapters, headers
fuse-ai-pilot:research-expert - Verify latest Astro 6 CSP docs via Context7/Exa
mcp__context7__query-docs - Check CSP compatibility with deployment adapter

After implementation, run fuse-ai-pilot:sniper for validation.

Overview

When to Use

Enabling CSP in an Astro 6 project (stable in v6.0.0)
Configuring security.csp in astro.config.mjs
Adding SHA-256/384/512 hashes for external scripts or styles
Using nonces for dynamic script injection
Setting up experimentalStaticHeaders for adapter-based CSP headers

CSP in Astro 6

Astro 6 ships Content Security Policy as a stable feature (previously experimental). When enabled:

Astro automatically generates SHA hashes for all bundled scripts and styles
Injects a <meta http-equiv="content-security-policy"> in each page's <head>
Supports script-src and style-src directives by default

Limitations:

Not supported in dev mode — test with build + preview
External scripts and styles require manual hash configuration
Incompatible with <ClientRouter /> view transitions (use native View Transition API)
Shiki syntax highlighter (inline styles) not currently supported

Reference Guide

Concepts

Topic	Reference	When to Consult
CSP overview	csp-overview.md	Understanding CSP in Astro 6
Configuration	csp-config.md	All config options
Script directive	script-directive.md	script-src configuration
Style directive	style-directive.md	style-src configuration
Nonces	nonces.md	Dynamic script injection
Static headers	static-headers.md	Adapter-based CSP headers

Templates

Template	When to Use
csp-basic.md	Basic CSP enable with algorithm
csp-advanced.md	Full config with directives + static headers

Best Practices

Always test with build + preview — CSP is inactive in dev mode
Start with SHA-512 — strongest hash algorithm
Use 'self' explicitly — not included by default in resources
Hash external scripts manually — compute SHA hashes for CDN resources
Combine with adapter headers — use experimentalStaticHeaders for Vercel/Netlify

Forbidden

Testing CSP in dev mode (doesn't work — always use build + preview)
Using <ClientRouter /> with CSP enabled
Forgetting to add 'self' when using resources array
Adding unsafe-inline (defeats purpose of CSP)