Content Security Policy (CSP)
CSP Header Analyzer
Runs locally in your browser — no network requests.
Paste your CSP
Paste a full header (Content-Security-Policy: ...) or just the value.
Recommendations
Based on common hardening best practices. Always validate in your app.
Normalized CSP
—
Script policy snapshot
Effective: —
Allows inline: —
Nonce/hash present: —
strict-dynamic: —
Clickjacking / framing
frame-ancestors: missing
Use frame-ancestors 'none' or an allowlist to control embedding.
Mixed content
upgrade-insecure-requests: not set
block-all-mixed-content: not set
Parsed directives
Each directive is shown as parsed tokens. Keep directives single and deliberate.
What CSP does
CSP is a browser policy that controls where content can load from (scripts, styles, images, XHR) and how pages can be embedded. A strong CSP can reduce the impact of XSS and data exfiltration bugs.
Suggested checklist
- default-src is restrictive (often 'none').
- script-src avoids 'unsafe-inline' and uses nonces/hashes.
- object-src is 'none'.
- base-uri is set.
- frame-ancestors is set.
Deployment notes
- Start with Report-Only to measure breakage.
- Then enforce after fixing violations.
- Prefer server headers over meta tags when possible.
How it works
Normalizes a CSP header/meta value, parses directives, flags risky tokens, and shows quick health badges (unsafe-inline, framing, mixed content). All analysis stays in your browser.
- Duplicate directives are highlighted because browsers may merge/override unpredictably.
- Report-Only is great for rollout; switch to enforce after fixing violations.
Quick examples
Copy the normalized CSP for headers after tweaking.
Mini FAQ
Why avoid 'unsafe-inline'?
Inline scripts bypass many protections; use nonces/hashes instead.
Report-Only vs Enforce?
Report-Only logs violations without blocking; Enforce blocks.
Do I need both report-uri and report-to?
Modern reporting prefers report-to; keep one consistent endpoint.
Related tools