Skip to content
uxTools
Security & Crypto

CSP Analyzer

Paste a Content-Security-Policy header and get an instant security verdict — a parsed directive table, color-coded findings and a letter grade, all in your browser.

Policy to analyze
Presets
F
Security grade
3High3Medium2Low

Findings

  • Highscript-src'unsafe-inline' lets any inline <script> or event handler run, defeating most XSS protection — replace it with nonces or hashes.
  • Highscript-src'unsafe-eval' allows string-to-code execution via eval() and similar APIs, a common XSS vector — remove it if you can.
  • Highscript-srcAllowing the data: scheme for scripts lets an attacker inline executable payloads — never allow data: in a script directive.
  • Mediumscript-srcAn insecure http: source can be tampered with in transit — use https: instead.
  • Mediumstyle-src'unsafe-inline' allows arbitrary inline styles, which can enable data exfiltration via CSS — prefer hashes or nonces where possible.
  • Mediumdefault-srcA bare '*' wildcard allows scripts or resources from any origin, defeating the point of the directive.
  • Lowbase-uriNo base-uri is set, so an injected <base> tag could redirect relative URLs. Set base-uri 'none' or 'self'.
  • Lowframe-ancestorsNo frame-ancestors is set; the page can be embedded anywhere and is exposed to clickjacking. Set frame-ancestors 'none' or 'self'.

Parsed directives

DirectiveSources
default-src*
script-src'self''unsafe-inline''unsafe-eval'data:http://cdn.example.com
style-src'self''unsafe-inline'

About this analyzer

The grade is a weighted score of every finding: high-severity issues (inline or eval script execution, wildcard or data: script sources) weigh the most, advisories the least. Heuristics follow CSP Level 3 conventions, but treat the result as guidance — the right policy always depends on what your page actually loads. Your policy is analyzed entirely in the browser and never leaves this page.