A new CSP Analyzer joins the toolset. Paste a Content-Security-Policy header value and it breaks the policy into three views.
Security findings ranked High → Medium → Low → Info, each with an explanation and a fix. It catches the common Content-Security-Policy weaknesses:
'unsafe-inline' and 'unsafe-eval' in script-src — and it's smart about it: 'unsafe-inline' is only flagged as high severity when no nonce, hash, or 'strict-dynamic' is present to neutralize it for modern browsers.* and scheme-only sources (https:, http:, data:) in script-src.default-src, base-uri, frame-ancestors (clickjacking), form-action, and object-src 'none'.report-uri, unknown/misspelled directives, and ignored duplicates.CSP has a subtlety that trips people up: most fetch directives fall back to default-src when omitted — but base-uri, form-action, and frame-ancestors do not. The Effective policy view resolves each directive and labels how its value was derived: explicit, via default-src, or unrestricted.
The raw parsed breakdown of every directive and its source list, with duplicates flagged.
Don't have the policy handy? Enter a URL and the tool retrieves the live Content-Security-Policy header for you, then analyzes it. The fetch is hardened against SSRF — only http/https is allowed, private/loopback/link-local/metadata addresses are refused (including after DNS resolution and on every redirect hop), and only response headers are read.
Parsing and auditing run entirely in your browser, and the current policy is saved to the URL as ?policy=… so you can share or revisit an analysis.