Do not jump straight to enforcement: start with a staging or report-only posture, open the dynamic pages, test tools and exports, then tighten only after the browser console is clean.
Security Headers
Test Content Security Policy in staging before enforcing it.
Vuln Signal uses JavaScript modules, runtime-rendered content, copy/export helpers, and API lookups. CSP should be staged, observed, and tightened carefully.
Staging Checklist
Pages and behaviors a CSP test must cover
Module boot
Open Home, Status, Tools, Search, Detail, Threat Map, Practice Lab, and one tool page. Confirm JavaScript modules load without blocked imports.
API and data fetches
Check live feed endpoints, static search index loading, MITRE lazy data, and tool lookups such as DNS or mail authentication.
Inline and generated content
Review route-rendered cards, JSON-LD, dynamic metadata, generated tool output, modal content, and copied wrapper text.
Copy and download actions
Test clipboard buttons, JSON downloads, CSV downloads, saved workspace exports, and any locally generated Blob output.
Navigation and mobile
Check the top menu, large dropdowns, mobile toggle, keyboard focus, and active states. CSP mistakes can look like broken navigation.
Console and reports
Review browser console violations and any report endpoint output. Separate real policy blocks from browser extension noise before changing headers.
Decision Rules
When CSP is ready to move forward
Ready for enforcement
All core routes render, all tool output actions work, API calls are expected, and violation reports show no project-owned blockers.
Keep in report-only
Any dynamic page breaks, a download or copy workflow fails, a route import is blocked, or reports are too noisy to interpret.
Document exceptions
If a policy needs `unsafe-inline`, external endpoints, or broad script permissions, record why and set a follow-up to narrow it later.