CSP Policy Evaluator
loginThis tool is planned for a future release. Authentication and target-ownership verification will be required before it can be enabled.
This tool isn't available in the anonymous view. Sign in to access it.
Monitor this automatically
NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.
Start monitoring free → See all monitoring productsFrequently Asked Questions
What is Content Security Policy?
CSP is an HTTP header that tells browsers which resources are allowed to load on a page. It's the primary defence against Cross-Site Scripting (XSS): by restricting which scripts can execute, a CSP limits the damage even if an attacker injects malicious HTML. Example: Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com
What makes a CSP policy weak?
Common weaknesses: 'unsafe-inline' in script-src (allows inline scripts — defeats XSS protection), 'unsafe-eval' (allows eval() and similar), wildcard sources (script-src *), allowlisted CDNs with JSONP endpoints (attackers can use them to bypass the policy), and missing default-src fallback.
How do I build a CSP without breaking my site?
Start with report-only mode: Content-Security-Policy-Report-Only: default-src 'self' with a report-uri. This logs violations without blocking anything. Review reports, whitelist legitimate sources, then switch to enforcement mode. Nonces ('nonce-xxx') allow specific inline scripts without 'unsafe-inline' and are the recommended approach for modern apps.