Home Free Tools Security Tools CSP Header Tester
100% Free

CSP Header Tester

Paste your Content-Security-Policy header value to parse every directive, flag unsafe configurations like 'unsafe-inline' and wildcard sources, and get actionable fix recommendations.

Parsed Directives

DirectiveSourcesStatus

Issues Found

    Suggested Hardened CSP

    
        
    
      
    
    
    
  
    

  
    
    
    Frequently Asked Questions
    
    
    
      
    What does Content-Security-Policy actually protect against?
    
      
    CSP is primarily designed to mitigate cross-site scripting (XSS) attacks by controlling which sources of content the browser is allowed to execute or load. A strict CSP tells the browser: only run scripts from this specific domain, only load images from approved sources, never execute inline event handlers. If an attacker manages to inject a malicious script tag through a vulnerability, a properly configured CSP prevents the browser from executing it. CSP also blocks clickjacking attempts when combined with frame-ancestors, and prevents data exfiltration by restricting where resources can be fetched from.
    
    
    
    
    
      
    Why is 'unsafe-inline' a problem in CSP?
    
      
    The 'unsafe-inline' keyword in script-src defeats much of CSP's XSS protection. It allows all inline scripts — both the legitimate ones you wrote and any injected by attackers. The solution is to replace inline scripts with external script files, or use nonces (single-use cryptographic tokens generated server-side for each response) or hashes (SHA-256 of the exact script content). With nonces, only scripts that have the matching nonce attribute execute. An attacker's injected script won't have the nonce and won't run, even if 'unsafe-inline' is absent.
    
    
    
    
    
      
    How do I implement CSP without breaking my website?
    
      
    Start in report-only mode using the Content-Security-Policy-Report-Only header instead of Content-Security-Policy. This sends violation reports without blocking anything, so you can see what would break before enforcing. Add a report-uri pointing to a collection endpoint (services like Report URI offer free tiers). Run your site normally for a week, review the violations, and refine your policy to allow legitimate sources while blocking unexpected ones. Only switch from Report-Only to enforcement once violations drop to zero. This phased approach prevents accidental breakage of third-party scripts, analytics tools, or CDN-hosted libraries.