CSP Analyzer

How to use

1. 1Load one of the example policies (Strict starter, Common bypasses, CSP3 strict-dynamic, JSONP-bypass host, Report-Only with endpoint, Empty policy), or paste your own Content-Security-Policy header value into the textarea.
2. 2Read the score and grade at the top: the score deducts 25 per high finding, 10 per medium, and 2 per info, capped at 0 and 100.
3. 3Step through the Findings list. Each card shows severity, a short title, why the pattern matters, a concrete fix, and the directive it applies to.
4. 4Scan the Parsed directives table to confirm the analyzer saw the same policy you intended. Duplicate or unknown directive names are flagged in the findings above.
5. 5Use Copy report to grab a plain-text audit suitable for a PR comment, a security review document, or a Slack thread.

About this tool

CSP Analyzer takes a Content-Security-Policy header value (with or without the Content-Security-Policy: prefix) and runs a directive-by-directive audit modeled on the W3C CSP Level 3 specification and the public ruleset used by Google's CSP Evaluator. The parser splits the header at semicolons, normalizes directive names, preserves source order, applies the default-src and script-src fallback chain documented in CSP3 (script-src-elem and script-src-attr fall back to script-src, then to default-src), and tracks duplicate or unknown directive names that browsers silently ignore. The auditor checks the patterns that quietly defeat real-world policies: wildcards in script-src or default-src, plain http: or https: as the only script source (a scheme-wide wildcard), data: or blob: anywhere scripts can come from, 'unsafe-inline' without a nonce or hash shadowing it, 'unsafe-eval' on directives that could be expression-injected, 'strict-dynamic' without a nonce or hash to bootstrap from, host allowlists that include known JSONP endpoints (ajax.googleapis.com, googletagmanager.com, google-analytics.com, etc.), the wildcard-subdomain widening problem, missing object-src 'none' (the single most-cited high-impact CSP recommendation), missing base-uri (an injected <base href> can redirect every relative script URL on the page), missing frame-ancestors (clickjacking exposure), missing form-action (form retargeting), 'unsafe-inline' on style-src (CSS-based exfiltration), the lack of report-uri or report-to (silent enforcement), and missing upgrade-insecure-requests on https origins. Each finding ships severity (high, medium, info), a description that explains why the pattern matters, a concrete fix, and a tag that points at the directive triggering it. The policy is scored 0-100 with letter grades A through F based on weighted deductions, the parsed directives table breaks the policy out into a directive name plus source chips for quick visual inspection, and a plain-text report is ready to paste into a security review document, a PR comment, or an audit log. Useful for security engineers grading a policy before deployment, frontend leads reviewing a vendor's CSP, performance teams checking whether a third-party tag will require relaxing the script-src, anyone reproducing a Google CSP Evaluator finding without uploading the header to a third party, and writers wanting to understand why a particular CSP keyword is risky. The companion tool, CSP Header Generator, builds a policy from scratch using the same directive vocabulary. Everything runs in your browser; the pasted header value, the parsed directives, and the report never leave your device, which matters because production CSP headers often reference internal staging origins and reporting endpoints.

Free to use. Works in your browser. No signup, no login.