CSP Evaluator
Options
Grade
-
Critical
0
Warnings
0
Passes
0
Findings
Normalized directives
What is a CSP Evaluator?
A CSP Evaluator reviews a Content-Security-Policy header and highlights directives that may weaken browser-side protection.
It is useful when tuning XSS defenses, reviewing application headers, comparing policies, or preparing a stricter production CSP.
How to use the CSP Evaluator
- Paste a Content-Security-Policy header into the input field.
- Click Evaluate CSP or enable automatic evaluation.
- Review critical findings, warnings, passed checks, and the normalized directive list.
- Adjust your server configuration and test again.
Related tools
You may also find these tools useful.
Security Headers Checker
Analyze HTTP security headers and get a security grade for your website.
SEO & Webmaster
›
HTTP Headers Parser
Parse raw HTTP headers into JSON and readable key-value pairs.
Network & Web
›
Webhook Signature Verifier
Verify webhook signatures using HMAC and compare provided vs computed signatures.
Encoding & Security
›
JWT Debugger
Analyze, validate, and edit JWT tokens online.
Encoding & Security
›
SSL / TLS Certificate Checker
Check certificate validity, expiration, issuer, SANs, OCSP, and TLS details.
Network & Web
›
CSP Evaluator FAQ
Does this tool fetch my website headers?
No. Paste the CSP header manually. Use the Security Headers Checker if you want to scan a URL.
Is unsafe-inline always bad?
It weakens CSP for scripts. It is sometimes used during migrations, but a nonce or hash based policy is safer.
Should every policy include frame-ancestors?
Most web apps should set frame-ancestors to reduce clickjacking risk, unless embedding is intentionally required.
Is my CSP stored?
No. Evaluation happens in your browser.