Content-Security-Policy header checker
Paste a raw Content-Security-Policy value below. The analyzer parses every directive locally in your browser and flags unsafe-inline, wildcard hosts, and high-risk gaps — nothing is uploaded.
Parsed directives
| Directive | Sources |
|---|
How this CSP analyzer scores your policy
A Content-Security-Policy is a whitelist of where a page may load scripts, styles, images, frames and other resources. The browser refuses anything that does not match, which is the single strongest defense against cross-site scripting (XSS) and data-injection attacks. But a policy is only as good as its weakest directive, and a few common shortcuts silently disable that protection.
This tool tokenizes the header on semicolons, splits each directive into a name and its source list, then applies a weighted deduction model. The score starts at 100 and subtracts penalties:
- 'unsafe-inline' in script-src — minus 35. It re-enables inline event handlers and
<script>blocks, the exact vector CSP exists to block. - 'unsafe-eval' — minus 20, since it permits
eval()and string-to-code execution. - Wildcard
*as a script or default source — minus 25; any host can serve code. - Missing
default-src— minus 20, because un-listed resource types fall back to "allow all". - Missing
object-src 'none'— minus 10 (plugins remain an injection path). - Missing
base-uri— minus 8 (base-tag hijacking). - 'unsafe-inline' in style-src — minus 6, a lower-severity styling risk.
Strict mode adds deductions for a missing frame-ancestors (clickjacking) and a missing report-uri/report-to so violations go unmonitored. The final number maps to a letter grade — A (90+), B (75+), C (60+), D (40+), F below — giving you a fast read on whether the policy is genuinely hardened or just present. A nonce- or sha256- source alongside scripts cancels the inline penalty, mirroring how real browsers treat a nonce as an explicit allow.
Related Tools
CSP Generator — build a hardened policy from a checklist.
Security Headers Generator — produce HSTS, X-Frame-Options and CSP together.