CSP Analyzer

Paste a Content-Security-Policy header value to see every directive explained in plain English and each risk flagged by severity — all in your browser.

The CSP Analyzer parses and scores your Content-Security-Policy entirely in your browser. The header value you paste never leaves your device and nothing is uploaded to ArrayKit.

Open the CSP Header Generator

About CSP Analyzer

The CSP Analyzer takes a Content-Security-Policy header value and breaks it into a per-directive table, explaining what each directive controls in plain English. It then audits the policy for the weaknesses that quietly defeat CSP: 'unsafe-inline' and 'unsafe-eval' in script sources, bare '*' wildcards, insecure http: origins, an overly broad data: scheme, and missing hardening such as default-src, object-src 'none', frame-ancestors, and base-uri. Every finding carries a severity so you can see at a glance whether a policy is tight or leaky. It is useful when you are hardening a site, reviewing a policy a framework generated for you, or debugging why a report-only CSP still allows inline scripts. Everything is parsed and scored on your device — the header you paste is never uploaded.

Features

How to use the CSP Analyzer

  1. Copy the Content-Security-Policy header value from your server config or response headers
  2. Paste it into the analyzer (the leading header name is optional)
  3. Read the per-directive table to confirm what each directive allows
  4. Work through the findings, worst-first, and tighten the flagged directives

Example

Input

default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'

Output

HIGH  script-src  'unsafe-inline' permits inline scripts
MED   frame-ancestors  missing — page can be framed (clickjacking)
OK    object-src  'none' blocks plugins (recommended)

The analyzer flags unsafe-inline as high, notes the missing frame-ancestors, and confirms object-src 'none'.

Common errors & troubleshooting

Frequently asked questions

What does the CSP Analyzer check for?
It parses each directive, explains what it controls, and flags common weaknesses: 'unsafe-inline' and 'unsafe-eval' in script sources, bare '*' wildcards, insecure http: origins, an overly broad data: scheme, and missing default-src, object-src 'none', frame-ancestors, and base-uri.
Why is 'unsafe-inline' flagged as high risk?
'unsafe-inline' lets inline <script> blocks and event-handler attributes run, which is exactly the injection vector CSP is meant to block. It effectively neutralizes script-src, so the analyzer treats it as a high-severity finding and suggests nonces or hashes instead.
Do I need to include the 'Content-Security-Policy:' header name?
No. You can paste either the full header line or just the policy value. The analyzer strips a leading 'Content-Security-Policy:' or 'Content-Security-Policy-Report-Only:' prefix automatically before parsing.
Why does the analyzer warn about a missing frame-ancestors?
Without frame-ancestors, any site can embed your page in an iframe, enabling clickjacking. frame-ancestors is the modern replacement for X-Frame-Options, so the analyzer recommends adding frame-ancestors 'self' or 'none'.
Does this validate that my policy is syntactically perfect?
It focuses on security posture rather than strict grammar. It handles the common shapes browsers accept — semicolon-separated directives with space-separated sources — and points out risky sources and missing hardening rather than nitpicking whitespace.
Is the CSP header I paste sent anywhere?
No. The CSP Analyzer parses and scores the policy entirely in your browser. The header value you paste stays on your device and is never uploaded to ArrayKit.

Related tools

All ArrayKit tools