CSP Evaluator
Analyze your Content Security Policy headers for vulnerabilities and misconfigurations.
What This Tool Checks
Deep analysis of Content Security Policy directives and their security implications.
Unsafe Directive Detection
Flags unsafe-inline and unsafe-eval in script-src that weaken XSS protection.
Wildcard Source Analysis
Detects overly permissive wildcard (*) and data: sources that allow unrestricted resource loading.
HTTPS Enforcement
Checks for http: schemes and verifies upgrade-insecure-requests is configured.
Clickjacking Protection
Verifies frame-ancestors is set to prevent your site from being embedded in malicious iframes.
Base URI & Default-Src
Ensures default-src fallback is set and base-uri is restricted to prevent injection attacks.
How It Works
Three steps to evaluate your CSP.
Enter Your URL
Type or paste any website URL. The tool fetches the page and reads both CSP and CSP-Report-Only headers.
Parse & Analyze
Each directive is parsed and evaluated for security issues like unsafe-inline, wildcards, and missing protections.
Review Results
Get an A-F grade, see each directive with its values and issues, and follow recommendations to harden your policy.
Frequently Asked Questions
Common questions about Content Security Policy.
What is a Content Security Policy (CSP)?
CSP is an HTTP response header that tells browsers which content sources are allowed on your page. It is one of the most effective defenses against Cross-Site Scripting (XSS) attacks by restricting where scripts, styles, images, and other resources can load from.
How does CSP prevent XSS attacks?
CSP prevents XSS by whitelisting trusted sources for scripts and other resources. Even if an attacker injects malicious HTML, the browser will refuse to execute inline scripts or load resources from unauthorized origins. This significantly reduces the attack surface for XSS.
How do I implement CSP on my website?
Add a Content-Security-Policy header in your web server configuration. Start with a report-only policy to identify what would break: Content-Security-Policy-Report-Only: default-src 'self'. Monitor reports, refine the policy, then switch to enforcement mode. Most web servers, CDNs, and frameworks support CSP configuration.
Why is unsafe-inline considered dangerous?
unsafe-inline allows the browser to execute inline scripts and styles, which is exactly what XSS attacks exploit. An attacker who can inject HTML into your page can run arbitrary JavaScript if unsafe-inline is allowed. Use nonces or hashes instead to allow specific inline scripts safely.
Related Tools
More tools to strengthen your website's security.