CSP Analyzer

What Is Content Security Policy (CSP)?

Content Security Policy is an HTTP response header that lets website owners control which resources the browser is allowed to load for a given page. By specifying approved sources for scripts, stylesheets, images, fonts, and other content types, CSP provides a powerful defense against cross-site scripting (XSS), clickjacking, and data injection attacks. It is one of the most important security headers a website can implement.

How CSP Works

A CSP header contains a series of directives separated by semicolons. Each directive specifies a content type (like script-src for JavaScript or style-src for CSS) followed by a list of approved sources. The default-src directive acts as a fallback for any content type not explicitly configured. Browsers enforce these policies by blocking any resource that does not match the approved sources.

Common CSP Issues

Many websites have weak CSP configurations. Using 'unsafe-inline' allows inline scripts, which negates most XSS protection. Using 'unsafe-eval' enables JavaScript's eval() function, another common attack vector. Wildcard sources (*) defeat the purpose of CSP entirely. This tool flags these issues and helps you identify which directives need tightening.

Improving Your CSP

Start with a strict default-src 'self' policy and add specific sources as needed. Use nonce-based or hash-based policies instead of 'unsafe-inline'. Block object embedding with object-src 'none'. Restrict form targets with form-action 'self'. Test changes in report-only mode first using the Content-Security-Policy-Report-Only header before enforcing them.