CSP Analyzer

Ek Content-Security-Policy header value paste karein taaki har directive plain English mein explained aur har risk severity se flagged dekhein — sab aapke browser mein.

CSP Analyzer aapki Content-Security-Policy ko poori tarah aapke browser mein parse aur score karta hai. Jo header value aap paste karte hain woh kabhi aapke device se bahar nahi jaati aur kuch bhi ArrayKit ko upload nahi hota.

CSP Header Generator kholein

CSP Analyzer ke baare mein

CSP Analyzer ek Content-Security-Policy header value leta hai aur use ek per-directive table mein todta hai, plain English mein explain karte hue ki har directive kya control karta hai. Phir yeh policy ko un weaknesses ke liye audit karta hai jo chupke se CSP ko defeat kar deti hain: script sources mein 'unsafe-inline' aur 'unsafe-eval', bare '*' wildcards, insecure http: origins, ek overly broad data: scheme, aur missing hardening jaise default-src, object-src 'none', frame-ancestors, aur base-uri. Har finding ek severity carry karti hai taaki aap ek nazar mein dekh sakein ki ek policy tight hai ya leaky. Yeh tab useful hai jab aap ek site harden kar rahe hain, ek framework dwara generate ki gayi policy review kar rahe hain, ya debug kar rahe hain ki ek report-only CSP abhi bhi inline scripts kyun allow karta hai. Sab kuch aapke device par parse aur score hota hai — jo header aap paste karte hain woh kabhi upload nahi hota.

Features

CSP Analyzer kaise use karein

  1. Apne server config ya response headers se Content-Security-Policy header value copy karein
  2. Use analyzer mein paste karein (leading header name optional hai)
  3. Per-directive table padhein taaki confirm ho ki har directive kya allow karta hai
  4. Findings par worst-first kaam karein, aur flagged directives ko tighten karein

Example

Input

default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'

Output

HIGH  script-src  'unsafe-inline' permits inline scripts
MED   frame-ancestors  missing — page can be framed (clickjacking)
OK    object-src  'none' blocks plugins (recommended)

Analyzer unsafe-inline ko high flag karta hai, missing frame-ancestors note karta hai, aur object-src 'none' confirm karta hai.

Common errors aur troubleshooting

Aksar pooche jaane wale sawaal

CSP Analyzer kis cheez ke liye check karta hai?
Yeh har directive parse karta hai, explain karta hai ki woh kya control karta hai, aur common weaknesses flag karta hai: script sources mein 'unsafe-inline' aur 'unsafe-eval', bare '*' wildcards, insecure http: origins, ek overly broad data: scheme, aur missing default-src, object-src 'none', frame-ancestors, aur base-uri.
'unsafe-inline' high risk ke roop mein kyun flag hota hai?
'unsafe-inline' inline <script> blocks aur event-handler attributes ko run karne deta hai, jo bilkul wahi injection vector hai jise CSP block karne ke liye hai. Yeh effectively script-src ko neutralize kar deta hai, isliye analyzer use ek high-severity finding maanta hai aur nonces ya hashes suggest karta hai.
Kya mujhe 'Content-Security-Policy:' header name include karna zaroori hai?
Nahi. Aap ya to poora header line ya sirf policy value paste kar sakte hain. Analyzer parsing se pehle automatically ek leading 'Content-Security-Policy:' ya 'Content-Security-Policy-Report-Only:' prefix strip kar deta hai.
Analyzer ek missing frame-ancestors ke baare mein kyun warn karta hai?
frame-ancestors ke bina, koi bhi site aapke page ko ek iframe mein embed kar sakti hai, jo clickjacking enable karta hai. frame-ancestors X-Frame-Options ka modern replacement hai, isliye analyzer frame-ancestors 'self' ya 'none' add karne ki recommend karta hai.
Kya yeh validate karta hai ki meri policy syntactically perfect hai?
Yeh strict grammar ke bajaye security posture par focus karta hai. Yeh un common shapes ko handle karta hai jo browsers accept karte hain — semicolon-separated directives space-separated sources ke saath — aur whitespace nitpick karne ke bajaye risky sources aur missing hardening point out karta hai.
Kya jo CSP header main paste karta hoon woh kahin bheja jaata hai?
Nahi. CSP Analyzer policy ko poori tarah aapke browser mein parse aur score karta hai. Jo header value aap paste karte hain woh aapke device par rehti hai aur kabhi ArrayKit ko upload nahi hoti.

Related tools

Saare ArrayKit tools