Skip to main content
SecScannerSecScanner
Security ChecksFree ToolsPricingBlog
Get Started
Sign InGet Started
Security ChecksContent Security Policy (CSP)
HeadersCritical PriorityFree

CSP Checker — Test Your Content Security Policy Online

Updated June 2026·SecScanner Team

Content Security Policy is an HTTP header that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which content sources are allowed to load.

Why It Matters

XSS attacks remain one of the most common web vulnerabilities. CSP acts as a defense-in-depth layer that can block malicious scripts even if your application has XSS vulnerabilities. Without CSP, attackers can inject scripts that steal user data, hijack sessions, or deface your website.

How We Check

We analyze your Content-Security-Policy header for proper directives including default-src, script-src, style-src, and frame-ancestors. We check for unsafe patterns like 'unsafe-inline' and 'unsafe-eval' that weaken protection.

How to Fix

Add a Content-Security-Policy header starting with a restrictive policy like default-src 'self'. Use nonces or hashes instead of 'unsafe-inline' for inline scripts. Start with report-only mode to identify issues before enforcing.

Frequently Asked Questions

What is Content Security Policy (CSP)?

Content Security Policy (CSP) is an HTTP response header that tells browsers which sources are allowed to load scripts, styles, images, and other resources on your page. It's the most effective technical defense against XSS (Cross-Site Scripting) attacks — even if an attacker injects malicious HTML, CSP prevents unauthorized scripts from executing.

What does 'unsafe-inline' mean in CSP and why is it dangerous?

'unsafe-inline' allows inline JavaScript and CSS to execute — meaning any `<script>` tag or event handler in your HTML runs without restriction. This completely defeats CSP's XSS protection because injected inline scripts would also execute. Replace unsafe-inline with nonces (`'nonce-{random}'`) or hashes (`'sha256-{hash}'`) that allow only your specific inline code.

How do I add CSP to my website without breaking it?

Start with `Content-Security-Policy-Report-Only` (not `Content-Security-Policy`) so violations are reported but not blocked. Check violation reports to see what your site loads. Then iteratively add directives for each resource type, switch to enforcement mode, and tighten further. Never start with blocking mode on an untested policy.

What is the minimum CSP I should set?

At minimum: `default-src 'self'; frame-ancestors 'none'`. This restricts all resources to same-origin and prevents your page from being embedded in iframes. Add `script-src` with nonces for inline scripts, `style-src`, `img-src` (usually including `data:` and your CDN), and `connect-src` for API calls.

Does CSP prevent all XSS attacks?

CSP significantly reduces XSS risk but isn't a complete prevention if misconfigured. Policies with 'unsafe-inline', wildcards (`*`), or `unsafe-eval` leave gaps. A properly configured strict-dynamic + nonce policy provides strong protection. CSP should be one layer in a defense-in-depth approach that also includes input validation and output encoding.

Related Security Checks

Headers

X-Content-Type-Options header

Headers

Frame Security Policy

Headers

Trusted Types readiness

Related Tool

Security Headers Checker

Run all 10 related checks with our free security headers checker

Check Your Website Now

Run a free security scan to check for Content Security Policy (CSP) issues and 62+ other security vulnerabilities.

Scan Your Website Free

Product

  • Security Checks
  • Free Tools
  • SSL Checker
  • Vulnerability Scanner
  • Email Security
  • Pricing
  • Compliance
  • Security Reports

Popular Checks

  • CSP Check
  • HSTS Check
  • TLS Version Check
  • SSL Expiry Check
  • SPF/DKIM/DMARC Check
  • Cookie Security Check
  • JS Vulnerability Scan
  • OCSP Stapling Check

Resources

  • Blog
  • Glossary
  • Contact

Legal

  • Terms of Use
  • Privacy Policy
  • Refund Policy
  • Cookie Policy

© 2025-2026 SecScanner. All rights reserved.