CSP Evaluator
Options
Findings
Normalized directives
What is a CSP Evaluator?
A CSP Evaluator reviews a Content-Security-Policy header and highlights directives that may weaken browser-side protection.
It is useful when tuning XSS defenses, reviewing application headers, comparing policies, or preparing a stricter production CSP.
How to use the CSP Evaluator
- Paste a Content-Security-Policy header into the input field.
- Click Evaluate CSP or enable automatic evaluation.
- Review critical findings, warnings, passed checks, and the normalized directive list.
- Adjust your server configuration and test again.
Related guides
Learn the workflow behind this tool and what to check next.
How to inspect JWT auth issues
A JWT troubleshooting flow for checking token claims, time values, permissions, and signing assumptions without treating decoding as verification.
How to validate a domain before launch
A launch workflow for confirming DNS records, domain ownership signals, SSL coverage, and security headers on the public endpoint.
CSP checks before deploying a stricter security policy
A Content Security Policy can reduce XSS risk, but unsafe directives, missing fallbacks, report-only testing, and third-party scripts need careful review.
Remove unsafe script rules
Review unsafe-inline, unsafe-eval, wildcards, data sources, and broad HTTPS allowances before treating a policy as strong.
Set critical directives
Check default-src, script-src, object-src, base-uri, frame-ancestors, and form-action for the protections your app needs.
Use report-only rollout
Test policy changes with Content-Security-Policy-Report-Only before enforcing them on production traffic.
Track third-party dependencies
Document analytics, ads, chat, CDN, and payment domains so future vendors do not weaken the policy by accident.
Privacy and usage
Built for quick checks without an account
Toolinix tools are designed for short developer tasks: paste a safe sample, inspect the result, copy what you need, and move on.
No login required
You can use the tools without creating an account, subscribing to a newsletter, or saving a workspace.
Local when possible
Formatters, generators, encoders, and text utilities generally run in your browser. Network diagnostics may need a server-assisted lookup to check public URLs, domains, or IPs.
Keep secrets out
Do not paste production passwords, private keys, access tokens, customer records, or regulated data into online tools unless your own security policy allows it.
Related tools
You may also find these tools useful.