CSP Analyzer
Paste a Content-Security-Policy header value to see every directive explained in plain English and each risk flagged by severity — all in your browser.
The CSP Analyzer parses and scores your Content-Security-Policy entirely in your browser. The header value you paste never leaves your device and nothing is uploaded to ArrayKit.
Open the CSP Header Generator
About CSP Analyzer
The CSP Analyzer takes a Content-Security-Policy header value and breaks it into a per-directive table, explaining what each directive controls in plain English. It then audits the policy for the weaknesses that quietly defeat CSP: 'unsafe-inline' and 'unsafe-eval' in script sources, bare '*' wildcards, insecure http: origins, an overly broad data: scheme, and missing hardening such as default-src, object-src 'none', frame-ancestors, and base-uri. Every finding carries a severity so you can see at a glance whether a policy is tight or leaky. It is useful when you are hardening a site, reviewing a policy a framework generated for you, or debugging why a report-only CSP still allows inline scripts. Everything is parsed and scored on your device — the header you paste is never uploaded.
Features
- Parses any Content-Security-Policy value into a clean per-directive table
- Explains each directive (script-src, frame-ancestors, base-uri…) in plain English
- Flags 'unsafe-inline' and 'unsafe-eval' in script sources as high risk
- Detects bare '*' wildcards and insecure http: sources
- Warns on missing default-src, object-src 'none', frame-ancestors, and base-uri
- Assigns a severity (high / medium / low / OK) to every finding
- Accepts input with or without the 'Content-Security-Policy:' header name
- Runs entirely in your browser — the policy you paste never leaves your device
How to use the CSP Analyzer
- Copy the Content-Security-Policy header value from your server config or response headers
- Paste it into the analyzer (the leading header name is optional)
- Read the per-directive table to confirm what each directive allows
- Work through the findings, worst-first, and tighten the flagged directives
Example
Input
default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'
Output
HIGH script-src 'unsafe-inline' permits inline scripts
MED frame-ancestors missing — page can be framed (clickjacking)
OK object-src 'none' blocks plugins (recommended)
The analyzer flags unsafe-inline as high, notes the missing frame-ancestors, and confirms object-src 'none'.
Common errors & troubleshooting
- The policy has script-src 'self' but inline scripts still run. — Check for 'unsafe-inline' in script-src (or default-src as its fallback). Remove it and switch to nonces or hashes so only your inline blocks execute.
- The analyzer warns that default-src is missing. — default-src is the fallback for most fetch directives. Without it, any directive you did not explicitly list is unrestricted — add default-src 'self' or 'none'.
- Frame-ancestors is flagged even though X-Frame-Options is set. — Modern browsers prefer frame-ancestors over X-Frame-Options. Add frame-ancestors 'self' or 'none' to the CSP so framing is controlled by the policy.
- A wildcard '*' in a source is reported as a risk. — '*' allows content from any origin, defeating the point of that directive. Replace it with the specific https:// hosts you actually load from.
Frequently asked questions
- What does the CSP Analyzer check for?
- It parses each directive, explains what it controls, and flags common weaknesses: 'unsafe-inline' and 'unsafe-eval' in script sources, bare '*' wildcards, insecure http: origins, an overly broad data: scheme, and missing default-src, object-src 'none', frame-ancestors, and base-uri.
- Why is 'unsafe-inline' flagged as high risk?
- 'unsafe-inline' lets inline <script> blocks and event-handler attributes run, which is exactly the injection vector CSP is meant to block. It effectively neutralizes script-src, so the analyzer treats it as a high-severity finding and suggests nonces or hashes instead.
- Do I need to include the 'Content-Security-Policy:' header name?
- No. You can paste either the full header line or just the policy value. The analyzer strips a leading 'Content-Security-Policy:' or 'Content-Security-Policy-Report-Only:' prefix automatically before parsing.
- Why does the analyzer warn about a missing frame-ancestors?
- Without frame-ancestors, any site can embed your page in an iframe, enabling clickjacking. frame-ancestors is the modern replacement for X-Frame-Options, so the analyzer recommends adding frame-ancestors 'self' or 'none'.
- Does this validate that my policy is syntactically perfect?
- It focuses on security posture rather than strict grammar. It handles the common shapes browsers accept — semicolon-separated directives with space-separated sources — and points out risky sources and missing hardening rather than nitpicking whitespace.
- Is the CSP header I paste sent anywhere?
- No. The CSP Analyzer parses and scores the policy entirely in your browser. The header value you paste stays on your device and is never uploaded to ArrayKit.
Related tools
- CSP Header Generator — Build a Content-Security-Policy header from directive toggles, with report-only and copy output.
- Meta Tag Generator — Generate SEO, Open Graph and Twitter Card meta tags for your page from a simple form.
- Cache-Control Header Builder — Assemble a correct HTTP Cache-Control header from plain toggles and human time units, with copy-ready nginx, Apache, and meta snippets.
- X.509 Certificate Decoder — Decode a PEM or DER certificate to view subject, issuer, validity, SANs and fingerprints.
- .htaccess Generator — Toggle and configure common Apache .htaccess snippets with live output.
All ArrayKit tools