Home/Security Tools/CSP header analyzer

Content Security Policy (CSP)

CSP Header Analyzer

Runs locally in your browser — no network requests.

Local only Checklist + hints

Paste your CSP

Paste a full header (Content-Security-Policy: ...) or just the value.

Directives: 0 Length: 0

Recommendations

Based on common hardening best practices. Always validate in your app.

Paste a CSP header to see recommendations.

Normalized CSP

Script policy snapshot

Effective:

Allows inline:

Nonce/hash present:

strict-dynamic:

Clickjacking / framing

frame-ancestors: missing

Use frame-ancestors 'none' or an allowlist to control embedding.

Mixed content

upgrade-insecure-requests: not set

block-all-mixed-content: not set

Parsed directives

Each directive is shown as parsed tokens. Keep directives single and deliberate.

No directives parsed yet.

What CSP does

CSP is a browser policy that controls where content can load from (scripts, styles, images, XHR) and how pages can be embedded. A strong CSP can reduce the impact of XSS and data exfiltration bugs.

Suggested checklist

  • default-src is restrictive (often 'none').
  • script-src avoids 'unsafe-inline' and uses nonces/hashes.
  • object-src is 'none'.
  • base-uri is set.
  • frame-ancestors is set.

Deployment notes

  • Start with Report-Only to measure breakage.
  • Then enforce after fixing violations.
  • Prefer server headers over meta tags when possible.

How it works

Normalizes a CSP header/meta value, parses directives, flags risky tokens, and shows quick health badges (unsafe-inline, framing, mixed content). All analysis stays in your browser.

  • Duplicate directives are highlighted because browsers may merge/override unpredictably.
  • Report-Only is great for rollout; switch to enforce after fixing violations.

Quick examples

Hardened
default-src 'none'; script-src 'self' 'nonce-abc'; object-src 'none'; frame-ancestors 'none'
No unsafe-inline; framing blocked
Needs work
default-src *; script-src 'unsafe-inline' https:
Flags unsafe-inline and wildcard

Copy the normalized CSP for headers after tweaking.

Mini FAQ

Why avoid 'unsafe-inline'?

Inline scripts bypass many protections; use nonces/hashes instead.

Report-Only vs Enforce?

Report-Only logs violations without blocking; Enforce blocks.

Do I need both report-uri and report-to?

Modern reporting prefers report-to; keep one consistent endpoint.