StackAtlas
Home/Security Tools/CSP header analyzer

Content Security Policy (CSP)

CSP Header Analyzer

Runs locally in your browser — no network requests.

Local only Checklist + hints

Paste your CSP

Paste a full header (Content-Security-Policy: ...) or just the value.

Directives: 0 Length: 0

Recommendations

Based on common hardening best practices. Always validate in your app.

Paste a CSP header to see recommendations.

Normalized CSP

Script policy snapshot

Effective:

Allows inline:

Nonce/hash present:

strict-dynamic:

Clickjacking / framing

frame-ancestors: missing

Use frame-ancestors 'none' or an allowlist to control embedding.

Mixed content

upgrade-insecure-requests: not set

block-all-mixed-content: not set

Parsed directives

Each directive is shown as parsed tokens. Keep directives single and deliberate.

No directives parsed yet.

What CSP does

CSP is a browser policy that controls where content can load from (scripts, styles, images, XHR) and how pages can be embedded. A strong CSP can reduce the impact of XSS and data exfiltration bugs.

Suggested checklist

  • default-src is restrictive (often 'none').
  • script-src avoids 'unsafe-inline' and uses nonces/hashes.
  • object-src is 'none'.
  • base-uri is set.
  • frame-ancestors is set.

Deployment notes

  • Start with Report-Only to measure breakage.
  • Then enforce after fixing violations.
  • Prefer server headers over meta tags when possible.