CSP Evaluator

All tools

Options

Grade
-
Critical
0
Warnings
0
Passes
0

Findings

Normalized directives

What is a CSP Evaluator?

A CSP Evaluator reviews a Content-Security-Policy header and highlights directives that may weaken browser-side protection.

It is useful when tuning XSS defenses, reviewing application headers, comparing policies, or preparing a stricter production CSP.

How to use the CSP Evaluator

  1. Paste a Content-Security-Policy header into the input field.
  2. Click Evaluate CSP or enable automatic evaluation.
  3. Review critical findings, warnings, passed checks, and the normalized directive list.
  4. Adjust your server configuration and test again.

Related guides

Learn the workflow behind this tool and what to check next.

CSP checks before deploying a stricter security policy

A Content Security Policy can reduce XSS risk, but unsafe directives, missing fallbacks, report-only testing, and third-party scripts need careful review.

Remove unsafe script rules

Review unsafe-inline, unsafe-eval, wildcards, data sources, and broad HTTPS allowances before treating a policy as strong.

Set critical directives

Check default-src, script-src, object-src, base-uri, frame-ancestors, and form-action for the protections your app needs.

Use report-only rollout

Test policy changes with Content-Security-Policy-Report-Only before enforcing them on production traffic.

Track third-party dependencies

Document analytics, ads, chat, CDN, and payment domains so future vendors do not weaken the policy by accident.

Privacy and usage

Built for quick checks without an account

Toolinix tools are designed for short developer tasks: paste a safe sample, inspect the result, copy what you need, and move on.

No login required

You can use the tools without creating an account, subscribing to a newsletter, or saving a workspace.

Local when possible

Formatters, generators, encoders, and text utilities generally run in your browser. Network diagnostics may need a server-assisted lookup to check public URLs, domains, or IPs.

Keep secrets out

Do not paste production passwords, private keys, access tokens, customer records, or regulated data into online tools unless your own security policy allows it.

Related tools

You may also find these tools useful.

CSP Evaluator FAQ

Does this tool fetch my website headers?
No. Paste the CSP header manually. Use the Security Headers Checker if you want to scan a URL.
Is unsafe-inline always bad?
It weakens CSP for scripts. It is sometimes used during migrations, but a nonce or hash based policy is safer.
Should every policy include frame-ancestors?
Most web apps should set frame-ancestors to reduce clickjacking risk, unless embedding is intentionally required.
Is my CSP stored?
No. Evaluation happens in your browser.