Content-Security-Policy Analyzer
Paste a Content-Security-Policy header to see it broken into directives and audited for common weaknesses such as unsafe-inline, unsafe-eval and wildcards. Each finding shows a severity and a concrete fix. Everything runs in your browser.
How to analyze a CSP header
- Paste the value of your Content-Security-Policy header into the box.
- Read the parsed directives and the list of findings sorted by severity.
- Apply the recommended fixes, then re-paste the updated policy to confirm.
Examples
A weak policy
default-src 'self'; script-src 'self' 'unsafe-inline'
HIGH: 'unsafe-inline' in script-src; missing object-src, base-uri and frame-ancestors
Frequently asked questions
Is my CSP sent to a server?
No. The policy is parsed and audited entirely in your browser using plain string analysis. Nothing is uploaded, logged or stored, so it is safe to paste a header from a production site.
What does 'unsafe-inline' mean and why is it risky?
'unsafe-inline' tells the browser to allow inline <script> blocks and inline event handlers (and inline styles for style-src). That is exactly what most cross-site scripting (XSS) payloads rely on, so it largely defeats the protection CSP is meant to provide. Use a nonce or hash allowlist instead.
Why do object-src and base-uri matter?
object-src controls legacy plugin content such as <object> and <embed>; setting it to 'none' removes an old but real attack surface. base-uri controls where a <base> tag may point, and without it an injected <base> can silently rewrite where every relative URL on the page resolves, redirecting script and form loads to an attacker.
What is the difference between a nonce and a hash in script-src?
A nonce is a random per-response token you put on both the header and each trusted <script>; a hash is the base64 SHA digest of a specific inline script's contents. Either one lets the browser run only the inline scripts you explicitly approve, which is the recommended replacement for 'unsafe-inline'.
Does a clean report mean my site is secure?
No. The analyzer checks for common, well-known CSP weaknesses, but a real policy depends on your app's exact sources and behavior. Treat the findings as a strong starting point, then test the policy in report-only mode before enforcing it.
Learn more
- Content-Security-Policy directives cheat sheet
The CSP directives that matter most for security, what each one controls, and safe default values.
Related tools
Security Headers Analyzer
Paste raw HTTP response headers and get a graded report of your security headers, with severity ratings and copy-paste fixes. Runs in your browser.
Hash Identifier
Identify the likely hash algorithm of a string by its length, character set and prefix. Detects MD5, SHA, bcrypt and more. Runs in your browser.
Secret Scanner
Paste code or config to find leaked API keys, tokens and private keys using gitleaks-style signatures. Runs in your browser, nothing is uploaded.
JWT Decoder
Decode a JSON Web Token to read its header and payload claims. Shows exp, iat and nbf as dates. Runs in your browser. No signature check.
AES Encryption
Encrypt and decrypt text with AES-GCM and a password. Uses 256-bit keys derived with PBKDF2, runs entirely in your browser, and nothing is uploaded.
CVSS Calculator
Calculate a CVSS v3.1 base score and severity from the eight base metrics. Build the vector string and see how each choice moves the score, in your browser.