Free Content-Security-Policy Evaluator
Paste a Content-Security-Policy and get an instant security grade — flags unsafe-inline / unsafe-eval, over-broad (wildcard / scheme-wide) script sources, missing object-src, base-uri and frame-ancestors, and rewards nonce/hash-based policies. Runs in your browser.
What this csp evaluator checks
How it works
In-browser· nothing is uploaded- 1You paste a Content-Security-Policy; we parse and grade it in your browser.
- 2We flag unsafe-inline / unsafe-eval, over-broad sources (wildcard, https:, data:), and missing object-src / base-uri / frame-ancestors — and reward nonce/hash-based policies.
- 3The policy text is analysed client-side and never sent anywhere.
Why it matters
A Content-Security-Policy is one of the strongest defences against cross-site scripting and clickjacking — but a single unsafe-inline or wildcard source can quietly neutralise it. Grading the policy shows exactly where it is weak and what to tighten.
Frequently asked questions
Is the CSP evaluator free?
Yes, and it runs entirely in your browser — paste a policy and grade it instantly, no sign-up.
Why is unsafe-inline flagged so strongly?
'unsafe-inline' in script-src lets injected inline scripts execute, which defeats the main XSS protection a CSP is supposed to provide. Use nonces or hashes instead.
What directives should a strong CSP include?
At minimum a restrictive script-src (no unsafe-inline; nonces/hashes for inline), object-src 'none', base-uri 'self' and frame-ancestors 'none' (or 'self').