CSP Evaluator
Paste a Content-Security-Policy header and get a per-directive audit — unsafe patterns, missing directives, and modern best practices.
- script-src'unsafe-inline' allows inline scripts/styles — defeats the main XSS protection.
- frame-ancestorsMissing frame-ancestors — no clickjacking protection.
- form-actionConsider adding form-action to restrict where forms can submit.
default-src 'self'
script-src 'self' 'unsafe-inline'
object-src 'none'
base-uri 'self'About the CSP Evaluator
The CSP Evaluator lints any Content-Security-Policy header value and produces a per-directive audit with an overall score. Paste a policy — production, staging, or one you're drafting — and get an instant readout of missing directives, dangerous keywords, wildcard sources, insecure schemes, and modern-best-practice signals. It exists because CSP is famously easy to write and famously hard to write well: a single `'unsafe-inline'` in the wrong place quietly undoes the entire XSS protection you thought you had.
We check the classics — is default-src set, is script-src set, are `'unsafe-inline'` or `'unsafe-eval'` allowing arbitrary script execution, is `*` letting any origin load, is `http:` weakening HTTPS-only pages, is `data:` in script-src (a known XSS bypass), is object-src locked down, is base-uri restricted, is frame-ancestors present for clickjacking protection, is form-action limited. We also give positive credit for nonce/hash-based script sources and `upgrade-insecure-requests`, so a well-designed strict CSP visibly wins.
Use the evaluator whenever you tighten a policy, when you introduce a new third-party embed and need to figure out what broke, when a security audit flags 'missing security headers', or when you're moving from a report-only rollout to enforcement. It pairs naturally with our Security Headers Grader for the whole-response picture and with the browser's own CSP violation reports for real-world signal.
How to use this tool
- 1Enter the required value in the input field above (domain, IP, URL, or text depending on the tool).
- 2Click the action button to run the check — results are computed instantly from our edge network.
- 3Review the parsed output, key fields and any warnings shown in the result card.
- 4Copy the result, share the page URL, or jump to a related tool from the sidebar to continue debugging.
Key features
- Per-directive findings — errors, warnings, info, ok
- Catches 'unsafe-inline', 'unsafe-eval', wildcards, data: in script-src
- Flags missing default-src / object-src / base-uri / frame-ancestors
- Rewards nonces, hashes, and upgrade-insecure-requests
- 0–100 score with human-readable explanation for every rule