CSP Analyzer
Paste a Content-Security-Policy header and get an instant security verdict — a parsed directive table, color-coded findings and a letter grade, all in your browser.
Policy to analyze
Presets
F
Security grade
3High3Medium2Low
Findings
- High
script-src'unsafe-inline' lets any inline <script> or event handler run, defeating most XSS protection — replace it with nonces or hashes. - High
script-src'unsafe-eval' allows string-to-code execution via eval() and similar APIs, a common XSS vector — remove it if you can. - High
script-srcAllowing the data: scheme for scripts lets an attacker inline executable payloads — never allow data: in a script directive. - Medium
script-srcAn insecure http: source can be tampered with in transit — use https: instead. - Medium
style-src'unsafe-inline' allows arbitrary inline styles, which can enable data exfiltration via CSS — prefer hashes or nonces where possible. - Medium
default-srcA bare '*' wildcard allows scripts or resources from any origin, defeating the point of the directive. - Low
base-uriNo base-uri is set, so an injected <base> tag could redirect relative URLs. Set base-uri 'none' or 'self'. - Low
frame-ancestorsNo frame-ancestors is set; the page can be embedded anywhere and is exposed to clickjacking. Set frame-ancestors 'none' or 'self'.
Parsed directives
| Directive | Sources |
|---|---|
| default-src | * |
| script-src | 'self''unsafe-inline''unsafe-eval'data:http://cdn.example.com |
| style-src | 'self''unsafe-inline' |
About this analyzer
The grade is a weighted score of every finding: high-severity issues (inline or eval script execution, wildcard or data: script sources) weigh the most, advisories the least. Heuristics follow CSP Level 3 conventions, but treat the result as guidance — the right policy always depends on what your page actually loads. Your policy is analyzed entirely in the browser and never leaves this page.