free security tools
← Back to tools

CSP Evaluator

Paste a Content-Security-Policy header to analyze its security posture. Detects dangerous directives, missing protections, and common misconfigurations.

Analysis

Paste a CSP policy and click Evaluate.

What is CSP Evaluator?

Analyze Content-Security-Policy headers for weaknesses. Find unsafe-inline, wildcard sources, and missing directives.

Security Guide

Content-Security-Policy (CSP)
Start with report-only policy to test before enforcing → Policy Generator
unsafe-inline removal
Replace unsafe-inline with nonces or hashes → CSP Hash Generator
default-src restriction
Restrict default-src to 'self' to block untrusted origins
Violation reporting
Add report-to or report-uri to monitor violations in production
Wildcard removal
Remove * wildcards — they allow any origin, defeating CSP
Base URI and form-action
Set base-uri 'self' and form-action 'self'Policy Generator