πŸ›‘οΈ CSP is active β€” the malicious script is blocked at load time
← All demos Β· Passkeys Demo 1 of 4 Β· CSP

Silent Credential Forgery

A malicious script forges a passkey for your account in pure JavaScript at page-load β€” no biometric prompt, no authenticator interaction, no user gesture of any kind. CSP is the defence.

βšͺ Unprotected 🟒 Protected
Protected β€” only your authenticator can register a credential here

Set up a passkey

Logged in as …. Click Register passkey to enrol your authenticator, then Sign in with passkey to authenticate.

βœ… Attack blocked. CSP script-src 'self' stopped the malicious script from loading, so no new forgery happens here. The violation is reported to Report URI.

If you tested in unprotected mode first, any forged credentials from that run still live in your demo session β€” switching modes does not wipe server state. Click Reset demo to start clean.
CSP header sent with this page
default-src 'self'; script-src 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; report-uri https://helios.report-uri.com/r/t/csp/enforce; report-to default
What's happening

The defence is to keep the malicious script from running in the first place. script-src 'self' rejects <script src="https://evil-cyber-hacker.com/..."> before it executes, so no synthetic registration happens, and Report URI receives the violation event for visibility. Permissions Policy doesn't help against this attack β€” the forgery never invokes the WebAuthn API, so there's no API call to gate.

Credentials registered to your account

Live β€” polls /passkeys/api/credentials every second.

  • Loading…

Activity log

Real-time trace of legitimate ceremony steps, attacker payload steps (if any), and CSP violations.

    ← All demos
    1 2 3 4
    Demo 2 β†’
    πŸ›‘οΈ CSP blocked 0 attempt(s)