Free Online CSP & Security Headers Analyzer
Parse directives • Flag risky patterns • Export findings report (local, no uploads)
About this tool
This free online CSP analyzer parses Content-Security-Policy directives and common response security headers, normalizes sources, and flags patterns that weaken protections against XSS, clickjacking, and injection paths. Paste a CSP header or a full response header block and get severity-scored findings plus an exportable report — processing is local-only in your browser with no uploads.
Common use cases
- Validate a CSP change before deploying to production
- Quickly assess security posture during incident response or triage
- Review third-party integrations for overly-broad allowlists
- Generate a lightweight findings report for PRs, tickets, or audits
- Check for missing headers like X-Content-Type-Options, Referrer-Policy, and Permissions-Policy
How it works
Input is parsed client-side. CSP directives are tokenized into sources/keywords, whitespace is normalized, and each directive is evaluated against a ruleset to produce findings (High/Medium/Low/Info). If you paste full response headers, the analyzer extracts CSP and also evaluates other common hardening headers alongside it. The “Parsed” view shows normalized directives and token mapping so you can verify exactly what the browser would interpret.
FAQ
Does this tool upload my headers or CSP?
No. Analysis runs locally in your browser and nothing is sent to a backend.
Can I paste full response headers instead of only CSP?
Yes. Paste the header block and the analyzer will extract CSP and evaluate other common security headers.
Why are 'unsafe-inline' / 'unsafe-eval' flagged?
They weaken script/style restrictions and can open injection paths. Prefer nonces/hashes and narrower sources.