CSP Report Analyzer
Analyze CSP violation reports, parse JSON or NDJSON, group blocked resources, inspect directives, and detect risky Content Security Policy patterns.
Paste a single CSP report, a JSON array, Report-To style reports, or NDJSON lines from a log export.
Options
Parses legacy csp-report payloads and newer Report-To style CSP violation reports, then groups the violations for easier debugging.
Output
CSP report analysis output will appear here.
Analyze Content Security Policy Violation Reports
Content Security Policy reports help you understand what a browser blocked or would have blocked because of your CSP header. They are useful during CSP rollout because they show blocked scripts, styles, images, frames, connections, and inline code before you make a policy stricter.
This CSP Report Analyzer parses common CSP report JSON and NDJSON formats, groups repeated violations, highlights risky patterns, and creates clean summaries for debugging or policy review. It does not automatically prove that every report is an attack, because reports can also come from browser extensions, old cached pages, third-party widgets, or rollout testing.
How to Use the CSP Report Analyzer
- Paste a CSP violation report, JSON array, or NDJSON report export.
- Choose whether to group by directive, blocked URI, document URI, or source file.
- Keep query-string redaction enabled if reports may contain private URL parameters.
- Review high-risk findings such as inline script, eval, data/blob URLs, insecure HTTP resources, and report-only versus enforced behavior.
- Copy the summary, detailed report, Markdown table, JSON, or CSV output.
Supported CSP Report Formats
The analyzer supports a single legacy csp-report object, JSON arrays of reports, newer report objects with a body field, and NDJSON log exports with one JSON object per line.
It reads fields such as document URI, blocked URI, violated directive, effective directive, source file, line number, column number, status code, disposition, raw report type, and script sample when available.
Common CSP Report Debugging Use Cases
- Finding which third-party scripts or images are blocked most often.
- Checking whether inline scripts or inline styles are still used.
- Spotting insecure http:// resources on HTTPS pages.
- Grouping reports by violated directive before updating a CSP header.
- Reviewing CSP reports before switching from report-only mode to enforcing mode.
- Cleaning report exports before sharing them with a developer or security reviewer.
Example CSP Report Fields
{
"csp-report": {
"document-uri": "https://example.com/account",
"violated-directive": "script-src-elem",
"blocked-uri": "https://cdn.example.com/app.js",
"source-file": "https://example.com/account"
}
}Report-Only CSP vs Enforced CSP
A report-only CSP lets browsers send violation reports without actually blocking the resource. This is useful when testing a new policy. An enforced CSP blocks resources that violate the policy, so it should be deployed carefully after reviewing reports and testing important user flows.
When reports look clean and expected resources are allowed intentionally, you can gradually tighten the policy and move from report-only mode to enforcement.
Frequently Asked Questions
What is a CSP violation report?
It is a browser-generated report that describes a resource blocked, or in report-only mode would have been blocked, by a Content Security Policy directive.
Can I paste multiple CSP reports at once?
Yes. You can paste a JSON array, a reports array, or NDJSON with one report object per line.
Can this parse Report-To style CSP reports?
Yes. It supports common legacy csp-report payloads and newer report objects with a body field.
Why should query strings be redacted?
URLs in security reports can sometimes contain tokens, IDs, or private parameters. Redacting query strings makes reports safer to share.
Does this update my CSP policy automatically?
No. It analyzes reports and highlights patterns. You should review changes before updating a real CSP header.
Is anything uploaded when I analyze reports?
No. Analysis happens directly in your browser.
