Content-Security-Policy header checker

Paste a raw Content-Security-Policy value below. The analyzer parses every directive locally in your browser and flags unsafe-inline, wildcard hosts, and high-risk gaps — nothing is uploaded.

A

    Parsed directives

    DirectiveSources

    How this CSP analyzer scores your policy

    A Content-Security-Policy is a whitelist of where a page may load scripts, styles, images, frames and other resources. The browser refuses anything that does not match, which is the single strongest defense against cross-site scripting (XSS) and data-injection attacks. But a policy is only as good as its weakest directive, and a few common shortcuts silently disable that protection.

    This tool tokenizes the header on semicolons, splits each directive into a name and its source list, then applies a weighted deduction model. The score starts at 100 and subtracts penalties:

    Strict mode adds deductions for a missing frame-ancestors (clickjacking) and a missing report-uri/report-to so violations go unmonitored. The final number maps to a letter grade — A (90+), B (75+), C (60+), D (40+), F below — giving you a fast read on whether the policy is genuinely hardened or just present. A nonce- or sha256- source alongside scripts cancels the inline penalty, mirroring how real browsers treat a nonce as an explicit allow.

    Related Tools

    CSP Generator — build a hardened policy from a checklist.
    Security Headers Generator — produce HSTS, X-Frame-Options and CSP together.