Yoryantra
← Back to Tools

CSP Analyzer

Inspect CSP directives, source values, duplicate rules, unsafe keywords, and common policy gaps before testing the policy in a real application.

Paste a CSP header value from response headers, server configuration, or security testing notes.

CSP Analysis Report

Content Security Policy analysis will appear here.
CSP changes can block scripts, styles, images, frames, and API calls. Test policy changes carefully before applying them to production pages.

Analyzing Content Security Policy Headers Before Deployment

Content Security Policy helps control where scripts, styles, images, frames, fonts, and network requests can load from. A weak CSP header can allow unsafe sources, while an overly strict policy can break real page behavior.

This analyzer parses a policy and highlights common review points such as duplicate directives, wildcard sources, unsafe keywords, missing fallback protections, and source values that deserve closer inspection.

Reviewing CSP Directives and Unsafe Source Values

  1. Paste a Content Security Policy header into the input box.
  2. Click Analyze CSP.
  3. Review detected directives, warnings, and suggestions.
  4. Test any policy changes carefully before production rollout.

Common CSP Analyzer Use Cases

  • Checking CSP headers copied from HTTP responses.
  • Finding unsafe-inline or unsafe-eval in script and style rules.
  • Reviewing frame-ancestors protection against unwanted framing.
  • Checking whether object-src and base-uri are defined.
  • Reviewing source lists before tightening a security policy.

Example Content Security Policy

default-src 'self';
script-src 'self' https://cdn.example.com;
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
connect-src 'self' https://api.example.com;
frame-ancestors 'none';
base-uri 'self';
object-src 'none';

Frequently Asked Questions

What does a CSP analyzer check?

It checks the policy text for common structural and source-list concerns. It does not load your application, observe runtime requests, or prove that the policy blocks every unwanted action.

Why are unsafe-inline and unsafe-eval important?

These values can weaken CSP protection because they allow inline code or dynamic code execution. Sometimes they are used for compatibility, but they should be reviewed carefully.

Can this tool confirm that my CSP is perfect?

No. The report is a static review of the policy text. Test the policy with the actual application, preferably in report-only mode first, and inspect browser violations and required sources.

Is my CSP header uploaded to a server?

No. The CSP analysis happens directly in your browser. Your policy header is not uploaded to a server.