Free Content-Security-Policy (CSP) Analyzer

Analyze and grade a Content-Security-Policy. Flags unsafe-inline, unsafe-eval, wildcards and missing object-src/base-uri/frame-ancestors. Free, runs in your browser.

About this tool

Content-Security-Policy is one of the most powerful defences against cross-site scripting (XSS) and data injection — but it's also one of the easiest to weaken to the point of uselessness. This free CSP analyzer parses and grades any Content-Security-Policy, flagging unsafe-inline, unsafe-eval, wildcard sources, and missing protective directives like object-src, base-uri and frame-ancestors.

Paste a policy and get a directive-by-directive breakdown with the risk of each weakness explained. It runs in your browser, so you can iterate on a policy safely during development. A strong CSP is restrictive by design — this tool helps you find the gaps before an attacker does.

Frequently asked questions

What weakens a Content-Security-Policy?

'unsafe-inline' and 'unsafe-eval' allow exactly the kind of script execution CSP is meant to block, and wildcard sources (*) let resources load from anywhere. Missing object-src, base-uri and frame-ancestors directives also leave gaps.

How do I build a strong CSP?

Start restrictive, avoid unsafe-inline/unsafe-eval, use nonces or hashes for required inline scripts, set explicit allowlists per directive, and add object-src 'none', base-uri 'self' and frame-ancestors. Roll out in report-only mode first.

Does the analyzer change my policy?

No. It only reads and grades the policy you paste, entirely in your browser. Use the findings to tighten your own configuration.