← Back to Tools

🛡️ CSP Analyzer

Analyze a Content-Security-Policy header for dangerous directives and missing protections.

Paste the value of a Content-Security-Policy header (with or without the header name prefix).

📚 How CSP prevents XSS attacks

Content-Security-Policy tells the browser which sources of JavaScript, CSS, images, and other resources are trusted. Any resource from an untrusted origin is blocked before it runs.

Without CSP: A successful XSS injection can load external scripts, steal cookies, capture keystrokes, or redirect users — the browser has no way to know the script is malicious.

With a strict CSP: Even if an attacker injects a <script> tag, the browser won't execute it if it's not from an allowed source or doesn't have a valid nonce.

Best practice: Use nonces (script-src 'nonce-{random}') rather than unsafe-inline. Set object-src 'none' to disable plugins, and base-uri 'self' to prevent base-tag injection.