Product and Methodology

About Script Sentinel

Script Sentinel is a browser-based Content Security Policy scanner and generator for developers and teams that want an editable policy candidate based on observed page behavior.

Our mission is to make CSP development easier to understand, test, and maintain. Script Sentinel combines browser evidence, directive analysis, report-only guidance, and drift monitoring without treating a bounded scan as proof that every application flow was covered.

Why We Built Script Sentinel

Manual CSP authoring can be tedious and error-prone, especially when pages load scripts, styles, APIs, frames, and other assets dynamically. Script Sentinel uses a bounded Chrome crawl to make observed page activity easier to inspect and turn into a reviewable starting policy.

The scanner flags mixed-content evidence and review-worthy CSP values, calculates a heuristic review score, and can add optional SHA-256 sources for inline content observed on scanned pages. Its output is a starting point for source review and report-only testing, not a security certification or enforcement-ready guarantee.

What a Bounded Scan Cannot Guarantee

A scan reflects only the pages and states it reaches. Authenticated, form-driven, consent-gated, conditional, feature-flagged, timed, geographic, device-specific, lazy-loaded, and other user-triggered flows can contain resources that are not observed.

Script Sentinel does not determine whether an observed third party is trustworthy, prove that the application is free of vulnerabilities, or replace output encoding, sanitization, dependency review, and application testing. It also does not intentionally submit forms or modify the target site, although loading pages and executing their JavaScript can trigger ordinary page-load network activity. Scan only sites you are authorized to test.

How Scan Data Is Handled

Anonymous one-off scan artifacts are kept in temporary in-memory session state and pruned after the configured inactivity period. Limited operational and security logs can retain request metadata and scan URLs with query strings and fragments removed.

Premium monitoring intentionally stores verified-site configuration, run artifacts, CSP recommendations, baseline state, and drift history so the dashboard, exports, schedules, and alerts can work. The Privacy Policy explains these paths and their retention model in more detail.

From a Free Scan to Monitored Rollout

The free generator supports one-off scans of up to 3 pages. It produces an editable CSP candidate, review score, browser evidence, and copyable or downloadable output.

For verified sites, Script Sentinel Premium adds monitored scans of up to 10 pages, accepted baselines, drift comparison, run history, alerts, and CSP Rollout Assistant output. These signals support an application owner's rollout decision; they do not replace representative report-only testing.

Chrome and Firefox Companion Extensions

The Script Sentinel Chrome extension and Script Sentinel Firefox Add-on start a user-requested free scan from the active tab. Recent extension scan history stays in extension-local storage on the device.