Dynamic Content Security Policy Generation and Management Using URL Safety Verification

Configuring and maintaining a Content Security Policy (CSP) is a critical defense against attacks like Cross-Site Scripting (XSS), but it is a notoriously difficult task for modern web applications. Static policies are brittle and fail to accommodate dynamically loaded third-party resources, often leading to security policies that are either too restrictive, breaking site functionality, or too permissive, rendering them ineffective. This paper presents a dynamic CSP generation and management system that automates the policy lifecycle. Our system employs a two-phase approach: an initial static analysis crawls the application to generate a strict baseline policy, followed by a continuous ’learning mode’ that refines this policy in real-time. When the browser, operating in a report-only mode, flags a violation for a new resource, our system intercepts the report. The resource’s URL is then automatically vetted through a security pipeline that checks against threat intelligence feeds and for vulnerabilities such as JSON with Padding (JSONP). Validated resources are programmatically added to the policy, which uses cryptographic nonces to secure inline scripts. Our evaluation on a representative application demonstrated that the system reduced CSP violations by 89.47% after a single learning cycle. The security pipeline was proven to successfully block known malicious URLs and high-risk JSONP endpoints, while the nonce-based mechanism effectively neutralized a simulated XSS attack, all with negligible performance overhead