CSP Evaluator & Builder
Evaluate Content Security Policy headers for security weaknesses, detect bypass gadgets, suggest strict CSP, generate nonces, compare two CSPs, and export to Nginx/Apache/meta-tag. 100% client-side.
About CSP Evaluator & Builder
Evaluate Content Security Policy headers for security weaknesses, detect bypass gadgets, suggest strict CSP, generate nonces, compare two CSPs, and export to Nginx/Apache/meta-tag. 100% client-side. Everything runs locally in your browser — your data never leaves your device.
How to use
- Enter your input in the tool above.
- Adjust any options to your preference.
- Use the Copy or Download buttons to save the result.
- Everything happens locally — your data never leaves your browser.
FAQ
What is Content Security Policy (CSP)?
CSP is an HTTP response header that lets site operators restrict the resources (scripts, styles, images) that a browser is allowed to load. It's a defense-in-depth mitigation for XSS and data injection attacks. Defined in CSP Level 3 (W3C).
What does this evaluator check?
It checks for: unsafe directives (unsafe-inline, unsafe-eval), missing default-src fallback, wildcards, http: sources in script directives, deprecated directives, missing base-uri/form-action/frame-ancestors/report-uri/upgrade-insecure-requests. It also detects known bypass gadgets (Angular on CDN, JSONP endpoints, data: URIs) and computes a 0-100 security score.
What is a CSP bypass gadget?
A bypass gadget is a script-hosting source that, when allowed in script-src, can be abused to execute arbitrary JavaScript despite CSP. Common gadgets: Angular on Google CDN (via $eval), Prototype.js, JSONP endpoints on jsdelivr/cdnjs, and data: URIs. Our tool detects these and recommends safer alternatives.
What extra features does this tool have compared to others?
Beyond standard evaluation, we ship: (1) CSP history (localStorage, last 20). (2) CSP builder — construct a CSP from directives with toggles. (3) CSP preset templates (Strict, Permissive, Report-only, WordPress, Next.js). (4) Source explanation — explain what each source ('self', 'unsafe-inline', data:, etc.) means and its risk level. (5) Score breakdown — see exactly how the score was computed. (6) Export to Nginx/Apache/meta-tag formats. (7) Directive reference — docs for all 15+ CSP directives. (8) Nonce generator — generate cryptographically secure nonces for CSP. (9) Shareable URL — encode CSP in fragment. (10) CSP comparison mode — diff two CSPs directive-by-directive.
Should I use 'unsafe-inline'?
No, ideally not. 'unsafe-inline' allows inline scripts and styles, which defeats much of CSP's XSS protection. Use nonces (per-request random values: 'nonce-XXX') or hashes ('sha256-...') instead. Our tool's 'suggestHashOrNonce' feature will recommend the right approach based on your current CSP.
Is my CSP header sent anywhere?
No. Analysis is done entirely in your browser using string parsing and pattern matching. Nothing is logged or transmitted. CSP history is stored in localStorage on your device only.
Related tools
Bcrypt & PBKDF2 Hash Generator
Generate and verify bcrypt + PBKDF2-SHA256 password hashes. Adjustable cost factor, batch verify, hash format detection, crack-time estimate, password strength check, hash comparison, and CSV export. 100% private.
Data URL Converter
Convert files to data: URLs and back. SVG optimization, batch encoding, embed templates (HTML/CSS/JS/JSON), size validation, magic bytes detection, and drag-drop. 100% private, offline.
HTTP Status Code Reference
Searchable reference for all HTTP status codes with common causes, how-to-fix guides, IANA links, server-software mapping (nginx/Cloudflare/Apache), HTTP/2 vs HTTP/1.1 differences, quiz mode, and CSV/Markdown export. 100% offline.