Diagnostic suite · live

CSP Evaluator

Paste a Content-Security-Policy header and get a per-directive audit — unsafe patterns, missing directives, and modern best practices.

Score
75/100
Errors
1
Directives
4
Findings
  • script-src
    'unsafe-inline' allows inline scripts/styles — defeats the main XSS protection.
  • frame-ancestors
    Missing frame-ancestors — no clickjacking protection.
  • form-action
    Consider adding form-action to restrict where forms can submit.
Parsed directives
default-src 'self'
script-src 'self' 'unsafe-inline'
object-src 'none'
base-uri 'self'

About the CSP Evaluator

The CSP Evaluator lints any Content-Security-Policy header value and produces a per-directive audit with an overall score. Paste a policy — production, staging, or one you're drafting — and get an instant readout of missing directives, dangerous keywords, wildcard sources, insecure schemes, and modern-best-practice signals. It exists because CSP is famously easy to write and famously hard to write well: a single `'unsafe-inline'` in the wrong place quietly undoes the entire XSS protection you thought you had.

We check the classics — is default-src set, is script-src set, are `'unsafe-inline'` or `'unsafe-eval'` allowing arbitrary script execution, is `*` letting any origin load, is `http:` weakening HTTPS-only pages, is `data:` in script-src (a known XSS bypass), is object-src locked down, is base-uri restricted, is frame-ancestors present for clickjacking protection, is form-action limited. We also give positive credit for nonce/hash-based script sources and `upgrade-insecure-requests`, so a well-designed strict CSP visibly wins.

Use the evaluator whenever you tighten a policy, when you introduce a new third-party embed and need to figure out what broke, when a security audit flags 'missing security headers', or when you're moving from a report-only rollout to enforcement. It pairs naturally with our Security Headers Grader for the whole-response picture and with the browser's own CSP violation reports for real-world signal.

How to use this tool

  1. 1Enter the required value in the input field above (domain, IP, URL, or text depending on the tool).
  2. 2Click the action button to run the check — results are computed instantly from our edge network.
  3. 3Review the parsed output, key fields and any warnings shown in the result card.
  4. 4Copy the result, share the page URL, or jump to a related tool from the sidebar to continue debugging.

Key features

  • Per-directive findings — errors, warnings, info, ok
  • Catches 'unsafe-inline', 'unsafe-eval', wildcards, data: in script-src
  • Flags missing default-src / object-src / base-uri / frame-ancestors
  • Rewards nonces, hashes, and upgrade-insecure-requests
  • 0–100 score with human-readable explanation for every rule
Related searches: csp evaluator · content security policy checker · csp linter online · unsafe-inline finder · csp best practices · xss prevention csp

Frequently asked questions

CSP is an HTTP response header that tells the browser exactly which sources are allowed for scripts, styles, images, frames, connections, and more. A strict CSP is the single most effective mitigation against reflected and stored cross-site scripting.