CSP Checker — Test Your Content Security Policy Online
Content Security Policy is an HTTP header that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which content sources are allowed to load.
Why It Matters
XSS attacks remain one of the most common web vulnerabilities. CSP acts as a defense-in-depth layer that can block malicious scripts even if your application has XSS vulnerabilities. Without CSP, attackers can inject scripts that steal user data, hijack sessions, or deface your website.
How We Check
We analyze your Content-Security-Policy header for proper directives including default-src, script-src, style-src, and frame-ancestors. We check for unsafe patterns like 'unsafe-inline' and 'unsafe-eval' that weaken protection.
How to Fix
Add a Content-Security-Policy header starting with a restrictive policy like default-src 'self'. Use nonces or hashes instead of 'unsafe-inline' for inline scripts. Start with report-only mode to identify issues before enforcing.
Frequently Asked Questions
What is Content Security Policy (CSP)?
Content Security Policy (CSP) is an HTTP response header that tells browsers which sources are allowed to load scripts, styles, images, and other resources on your page. It's the most effective technical defense against XSS (Cross-Site Scripting) attacks — even if an attacker injects malicious HTML, CSP prevents unauthorized scripts from executing.
What does 'unsafe-inline' mean in CSP and why is it dangerous?
'unsafe-inline' allows inline JavaScript and CSS to execute — meaning any `<script>` tag or event handler in your HTML runs without restriction. This completely defeats CSP's XSS protection because injected inline scripts would also execute. Replace unsafe-inline with nonces (`'nonce-{random}'`) or hashes (`'sha256-{hash}'`) that allow only your specific inline code.
How do I add CSP to my website without breaking it?
Start with `Content-Security-Policy-Report-Only` (not `Content-Security-Policy`) so violations are reported but not blocked. Check violation reports to see what your site loads. Then iteratively add directives for each resource type, switch to enforcement mode, and tighten further. Never start with blocking mode on an untested policy.
What is the minimum CSP I should set?
At minimum: `default-src 'self'; frame-ancestors 'none'`. This restricts all resources to same-origin and prevents your page from being embedded in iframes. Add `script-src` with nonces for inline scripts, `style-src`, `img-src` (usually including `data:` and your CDN), and `connect-src` for API calls.
Does CSP prevent all XSS attacks?
CSP significantly reduces XSS risk but isn't a complete prevention if misconfigured. Policies with 'unsafe-inline', wildcards (`*`), or `unsafe-eval` leave gaps. A properly configured strict-dynamic + nonce policy provides strong protection. CSP should be one layer in a defense-in-depth approach that also includes input validation and output encoding.
Related Security Checks
Related Tool
Security Headers Checker
Run all 10 related checks with our free security headers checker
Check Your Website Now
Run a free security scan to check for Content Security Policy (CSP) issues and 62+ other security vulnerabilities.
Scan Your Website Free