Skip to main content
SecScannerSecScanner
Security ChecksFree ToolsPricingBlog
Get Started
Sign InGet Started

CSP Checker

Free online CSP checker. Scan any website to analyze Content Security Policy headers, detect dangerous directives like unsafe-inline and unsafe-eval, find missing policies, and identify misconfigurations that expose your site to XSS attacks. Get specific directive-level fix recommendations.

No https:// needed · Free · No credit card

What We Check

CSP header detection and parsing
Unsafe directive identification (unsafe-inline, unsafe-eval)
Missing directive detection
Wildcard source analysis
Report-URI / report-to verification
Frame-ancestors policy check

How It Works

1

Enter your website URL

2

We fetch the page and extract CSP headers and meta tags

3

Each directive is parsed and checked against security best practices

4

Dangerous patterns like unsafe-inline are flagged

5

You receive a detailed report with specific directive recommendations

Security Checks Included

This tool runs the following security checks on your website

Content Security Policy (CSP)Frame Security PolicyCross-Origin Resource IsolationX-Content-Type-Options headerDeprecated X-XSS-Protection header

Frequently Asked Questions

What is a CSP checker?
A CSP checker is a free online tool that fetches your website, extracts the Content-Security-Policy header, and analyzes each directive for dangerous patterns. It flags issues like unsafe-inline, missing directives, and wildcard sources — with specific recommendations for each problem found.
How do I check my Content Security Policy?
Enter your website URL in the CSP checker above. We'll fetch the page, extract your CSP header (or meta tag), parse every directive, and show you a detailed analysis with pass/fail for each part of your policy.
What is Content Security Policy (CSP)?
CSP is an HTTP header that tells browsers which resources (scripts, styles, images) are allowed to load on your page. It's the most effective defense against XSS (Cross-Site Scripting) attacks — a malicious script can't execute if CSP blocks it.
Why is unsafe-inline dangerous in CSP?
The 'unsafe-inline' directive allows inline scripts and styles to execute, which defeats the primary purpose of CSP. Attackers who inject HTML can execute arbitrary JavaScript if unsafe-inline is enabled, bypassing your XSS protection entirely.
How do I implement CSP without breaking my site?
Start with Content-Security-Policy-Report-Only header to monitor violations without blocking. Use nonce-based or hash-based allowlisting instead of unsafe-inline. Gradually tighten policies based on violation reports.
What CSP directives should I set?
At minimum: default-src 'self', script-src with nonces or hashes, style-src, img-src, connect-src, and frame-ancestors 'none' to prevent clickjacking. Our checker identifies which directives you're missing.
Is this CSP checker free?
Yes, our CSP checker is completely free. It analyzes your Content Security Policy in detail and is part of SecScanner's free toolkit that runs 60+ security checks covering SSL, cookies, DNS, and more.

Ready to Check Your Website?

Run a free security scan now and get instant results with actionable fix recommendations.

No https:// needed · Free · No credit card

Product

  • Security Checks
  • Free Tools
  • SSL Checker
  • Vulnerability Scanner
  • Email Security
  • Pricing
  • Compliance
  • Security Reports

Popular Checks

  • CSP Check
  • HSTS Check
  • TLS Version Check
  • SSL Expiry Check
  • SPF/DKIM/DMARC Check
  • Cookie Security Check
  • JS Vulnerability Scan
  • OCSP Stapling Check

Resources

  • Blog
  • Glossary
  • Contact

Legal

  • Terms of Use
  • Privacy Policy
  • Refund Policy
  • Cookie Policy

© 2025-2026 SecScanner. All rights reserved.