Home/CSP Analyzer
[ W.4 — CSP ]

CSP
Analyzer.

Analyze a Content Security Policy — fetch it from a URL or paste one directly. See every directive, find weaknesses, and get fix recommendations.

Last reviewed: May 2026

Paste a raw Content-Security-Policy header value. Analysis runs entirely in your browser; nothing is sent to the server.

Audit your full security header set.

Check all security headers →
W.2

HTTP Security Headers

Full security-headers grader — CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, all of it.
W.3

HSTS Preload Checker

Check if a domain enforces HTTPS via HSTS and qualifies for the browser preload list.
W.1

SSL Certificate Inspector

Inspect the TLS certificate, chain, expiry, and cipher suite for any domain.

What is CSP?

Content Security Policy is an HTTP response header that tells the browser which sources of script, style, image, font, and other resources are allowed to load on a page. It's the primary in-browser defence against XSS (cross-site scripting) — if an attacker manages to inject a <script src="evil.example/payload.js"> tag into your page, the browser blocks the load unless evil.example is on your script-src allowlist.

CSP is configured per page via the Content-Security-Policy response header (or, less commonly, a <meta http-equiv="Content-Security-Policy"> tag). It's been a baseline expectation in serious-grade WebPKI deployments since CSP Level 2 shipped in 2015; the modern spec is Level 3.

How CSP works

The browser parses the policy when the response arrives, then checks every resource load and inline script execution against the matching directive. A match means "allowed, run it." No match means the load is blocked and a violation is queued for reporting (if report-uri or report-to is configured).

There's also a Report-Only mode: Content-Security-Policy-Report-Only sends violation reports without blocking anything. Useful for piloting a tightened policy in production — turn it on for a week, watch the reports, fix the legitimate violations, then promote to enforcing mode.

The evolution of CSP

  • CSP Level 1 (2012): basic allowlisting. default-src, script-src, style-src, and a handful of others. Workable but verbose.
  • CSP Level 2 (2015): added nonces ('nonce-...') and hashes ('sha256-...') so you could allow specific inline scripts without opening the door to 'unsafe-inline'. Also added frame-ancestors, replacing X-Frame-Options.
  • CSP Level 3 (2018+): strict-dynamic (trust scripts loaded by a nonced script), Trusted Types, hashed source for external scripts, wasm-unsafe-eval. Modern best practice is "strict CSP" — a nonce + strict-dynamic + object-src 'none' + base-uri 'none', and that's effectively the whole policy.

The most common CSP mistakes

  • 'unsafe-inline' in script-src — defeats the entire XSS-prevention purpose. If your page has inline <script> tags, switch them to external files or attach nonces; don't allow inline blanket-fashion.
  • Wildcard * in any fetch directive — effectively no restriction. script-src * means any origin's script may load.
  • Forgetting object-src — without this, the browser default for plugins (Flash, applets, embeds) is "allow." Always set object-src 'none'.
  • Forgetting frame-ancestors — controls who can iframe you, which is the cheapest clickjacking defence available. Set to 'none' or your own origin.
  • Forgetting base-uri — without this, an attacker who injects a <base> tag can rewrite every relative URL on the page. Set base-uri 'self' or 'none'.
  • Using only report-uri — deprecated in favour of report-to. Old browsers honour report-uri, new ones honour report-to; set both during the transition.

CSP vs other security headers

CSP controls resource loading and execution inside the page. It is one of about a dozen security headers — and the others do different jobs that complement rather than replace it.

  • HSTS (Strict-Transport-Security) forces HTTPS. CSP doesn't touch transport.
  • X-Frame-Options (or the modern frame-ancestors directive inside CSP) controls embedding.
  • CORS (Access-Control-Allow-Origin) controls cross-origin reads of your responses. CSP controls what your page may load; CORS controls what others may read.
  • Referrer-Policy controls outbound Referer headers.
  • Permissions-Policy controls browser API access (camera, geolocation, etc.).

The full audit — every one of those headers, in one pass — is the security headers grader. This tool focuses on CSP in particular and goes deeper into each directive.