astro-securitylisted

# Astro Security ## Agent Workflow (MANDATORY) Before ANY implementation, use `TeamCreate` to spawn 3 agents: 1. **fuse-ai-pilot:explore-codebase** - Analyze existing security config, adapters, headers 2. **fuse-ai-pilot:research-expert** - Verify latest Astro 6 CSP docs via Context7/Exa 3. **mcp__context7__query-docs** - Check CSP compatibility with deployment adapter After implementation, run **fuse-ai-pilot:sniper** for validation. --- ## Overview ### When to Use - Enabling CSP in an Astro 6 project (stable in v6.0.0) - Configuring `security.csp` in `astro.config.mjs` - Adding SHA-256/384/512 hashes for external scripts or styles - Using nonces for dynamic script injection - Setting up `experimentalStaticHeaders` for adapter-based CSP headers ### CSP in Astro 6 Astro 6 ships Content Security Policy as a **stable** feature (previously experimental). When enabled: - Astro automatically generates SHA hashes for all bundled scripts and styles - Injects a `<meta http-equiv="content-security-policy">` in each page's `<head>` - Supports `script-src` and `style-src` directives by default **Limitations:** - Not supported in `dev` mode — test with `build` + `preview` - External scripts and styles require manual hash configuration - Incompatible with `<ClientRouter />` view transitions (use native View Transition API) - Shiki syntax highlighter (inline styles) not currently supported --- ## Reference Guide ### Concepts | Topic | Reference | When to Consult | |-------|-