CSP Checker
Analyze your website's Content Security Policy (CSP) header for security issues. Detect unsafe directives, missing policies, and misconfigurations that could expose your site to XSS attacks.
What We Check
CSP header detection and parsing
Unsafe directive identification (unsafe-inline, unsafe-eval)
Missing directive detection
Wildcard source analysis
Report-URI / report-to verification
Frame-ancestors policy check
How It Works
1
Enter your website URL
2
We fetch the page and extract CSP headers and meta tags
3
Each directive is parsed and checked against security best practices
4
Dangerous patterns like unsafe-inline are flagged
5
You receive a detailed report with specific directive recommendations
Security Checks Included
This tool runs the following security checks on your website
Frequently Asked Questions
What is Content Security Policy (CSP)?
CSP is an HTTP header that tells browsers which resources (scripts, styles, images) are allowed to load on your page. It's the most effective defense against XSS (Cross-Site Scripting) attacks.
Why is unsafe-inline dangerous?
The 'unsafe-inline' directive allows inline scripts and styles to execute, which defeats the primary purpose of CSP. Attackers who inject HTML can execute arbitrary JavaScript if unsafe-inline is enabled.
How do I implement CSP without breaking my site?
Start with Content-Security-Policy-Report-Only header to monitor violations without blocking. Use nonce-based or hash-based allowlisting instead of unsafe-inline. Gradually tighten policies based on reports.
What CSP directives should I set?
At minimum: default-src 'self', script-src with nonces, style-src, img-src, connect-src, and frame-ancestors 'none' (to prevent clickjacking). Our checker identifies which directives you're missing.
Ready to Check Your Website?
Run a free security scan now and get instant results with actionable fix recommendations.