CSP Header Analyzer
Analyze a Content-Security-Policy header for unsafe directives, missing policies, and security risks.
Paste the header value only (without "Content-Security-Policy:"). Press Cmd/Ctrl+Enter to analyze.
What Is a Content Security Policy?
Content Security Policy (CSP) is an HTTP response header that tells browsers which sources of content are trusted. It is one of the most effective defenses against Cross-Site Scripting (XSS) attacks. A misconfigured CSP can leave your site vulnerable even when the header is present. This tool parses your CSP header and flags unsafe directives, missing policies, and common misconfigurations.
How to Use
- Paste your Content-Security-Policy header value (without the header name)
- Click Analyze or use the Load Sample button to see an example
- Review findings grouped by severity: Critical, High, Medium, Info
- The directive breakdown shows all parsed directives and their values
What This Tool Checks
- unsafe-inline / unsafe-eval: bypasses XSS protection
- Wildcard sources (*) and overly broad schemes (http:, https:)
- data: URIs in script-src: can execute arbitrary scripts
- Missing default-src, base-uri, form-action directives
- object-src not set to none: allows Flash/plugin exploits
FAQ
How do I get my CSP header?
Open DevTools → Network tab → click any request → look for the Content-Security-Policy response header. Copy the value (everything after the colon).
What is the difference between CSP and CSP Report-Only?
Content-Security-Policy enforces the policy and blocks violations. Content-Security-Policy-Report-Only only reports violations without blocking — useful for testing a new policy before enforcing it.
How do I fix unsafe-inline in script-src?
Replace unsafe-inline with nonces (script-src 'nonce-RANDOM') or hashes (script-src 'sha256-BASE64'). Each inline script gets a matching nonce or hash attribute.