fusengine/astro-security
plugins/astro-expert/skills/astro-security/SKILL.md
Use when configuring Content Security Policy (CSP) in Astro 6, setting security headers, managing script/style hashes, using nonces, or implementing experimentalStaticHeaders for adapter deployments.
$ install --global
skillsauthnpx skillsauth add fusengine/agents astro-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 7:51 AM4.0s1 file scanned
SKILL.md
- name:
- astro-security
- description:
- Use when configuring Content Security Policy (CSP) in Astro 6, setting security headers, managing script/style hashes, using nonces, or implementing experimentalStaticHeaders for adapter deployments.
- astro:
- 6
- user-invocable:
- true
- references:
- references/csp-overview.md, references/csp-config.md, references/script-directive.md, references/style-directive.md, references/nonces.md, references/static-headers.md, references/templates/csp-basic.md, references/templates/csp-advanced.md
- related-skills:
- astro-6, astro-deployment, solid-astro
Astro Security
Agent Workflow (MANDATORY)
Before ANY implementation, use TeamCreate to spawn 3 agents:
- fuse-ai-pilot:explore-codebase - Analyze existing security config, adapters, headers
- fuse-ai-pilot:research-expert - Verify latest Astro 6 CSP docs via Context7/Exa
- mcp__context7__query-docs - Check CSP compatibility with deployment adapter
After implementation, run fuse-ai-pilot:sniper for validation.
Overview
When to Use
- Enabling CSP in an Astro 6 project (stable in v6.0.0)
- Configuring
security.cspinastro.config.mjs - Adding SHA-256/384/512 hashes for external scripts or styles
- Using nonces for dynamic script injection
- Setting up
experimentalStaticHeadersfor adapter-based CSP headers
CSP in Astro 6
Astro 6 ships Content Security Policy as a stable feature (previously experimental). When enabled:
- Astro automatically generates SHA hashes for all bundled scripts and styles
- Injects a
<meta http-equiv="content-security-policy">in each page's<head> - Supports
script-srcandstyle-srcdirectives by default
Limitations:
- Not supported in
devmode — test withbuild+preview - External scripts and styles require manual hash configuration
- Incompatible with
<ClientRouter />view transitions (use native View Transition API) - Shiki syntax highlighter (inline styles) not currently supported
Reference Guide
Concepts
| Topic | Reference | When to Consult | |-------|-----------|-----------------| | CSP overview | csp-overview.md | Understanding CSP in Astro 6 | | Configuration | csp-config.md | All config options | | Script directive | script-directive.md | script-src configuration | | Style directive | style-directive.md | style-src configuration | | Nonces | nonces.md | Dynamic script injection | | Static headers | static-headers.md | Adapter-based CSP headers |
Templates
| Template | When to Use | |----------|-------------| | csp-basic.md | Basic CSP enable with algorithm | | csp-advanced.md | Full config with directives + static headers |
Best Practices
- Always test with build + preview — CSP is inactive in dev mode
- Start with SHA-512 — strongest hash algorithm
- Use
'self'explicitly — not included by default in resources - Hash external scripts manually — compute SHA hashes for CDN resources
- Combine with adapter headers — use
experimentalStaticHeadersfor Vercel/Netlify
Forbidden
- Testing CSP in
devmode (doesn't work — always usebuild + preview) - Using
<ClientRouter />with CSP enabled - Forgetting to add
'self'when usingresourcesarray - Adding
unsafe-inline(defeats purpose of CSP)
Related Skills
fusengine/seo-entity
development
VerifiedTrustedCommunity
Use when optimizing entity-based / semantic SEO 2026. Covers entity maps, Google Knowledge Graph resolution, salience scoring, passage-level ranking, about/sameAs/knowsAbout schema, Cloud Natural Language API validation.
13SKILL.mdUpdated Jun 4, 2026
fusengine/seo
development
VerifiedTrustedCommunity
Use when running SEO, GEO, schema, Core Web Vitals, sitemap, hreflang, E-E-A-T, AI Overviews, technical SEO, or structured data tasks. Covers full-site audits, single-page analysis, schema markup, content quality, AI search optimization, local SEO, sitemap/robots, internal linking, semantic clustering, and search experience.
13SKILL.mdUpdated May 17, 2026
fusengine/seo-sxo
development
VerifiedTrustedCommunity
Use when optimizing search experience (SXO). Covers intent matching, user personas, user stories, page-type analysis, dwell time, scroll depth, pogo-sticking prevention.
13SKILL.mdUpdated May 17, 2026
fusengine/seo-local
development
VerifiedTrustedCommunity
Use when optimizing local SEO. Covers Google Business Profile, NAP consistency, citations, reviews acquisition, Local Pack ranking, location pages, LocalBusiness schema.
13SKILL.mdUpdated May 17, 2026