CSP Header Checker — Content-Security-Policy Parse & Grade

Composite security header scores award twenty-five points for any CSP presence — whether strict or dangerously permissive. XSS defenders need directive-level critique: does script-src allow unsafe-inline? Are wildcards opening every origin? Does frame-ancestors complement clickjacking controls?

Our CSP header checker exists because policy quality matters more than policy existence. A site with Content-Security-Policy: default-src * may score well on presence-only checkers while offering minimal protection.

CSP headers use semicolon-separated directives with space-separated source lists — script-src 'self' https://cdn.example.com; object-src 'none'. We parse each directive name lowercase into a directives object mapping to token arrays for programmatic review and copy-paste into documentation.

hasDefaultSrc, hasScriptSrc, hasStyleSrc, and hasFrameAncestors booleans summarize coverage. Missing both default-src and script-src triggers an issue because browsers fall back to permissive default behavior for script loading.

unsafe-inline in script-src or style-src allows inline script blocks — the primary XSS injection vector CSP was designed to eliminate. unsafe-eval permits eval() and similar constructs attackers use to execute string payloads. Each triggers dedicated issues and significant grade penalties.

Legacy apps often require unsafe-inline during migration — track issues array as a remediation backlog toward nonce or hash based policies.

Wildcard * in any directive source list permits loading from arbitrary origins for that resource type — defeating origin restriction purpose. data: URIs in script contexts enable injection via base64 payloads in some browser configurations.

wildcardSources and dataScheme booleans highlight these patterns. Grade deductions reflect severity in our scoring model aligned with common CSP deployment guidance.

frame-ancestors replaces X-Frame-Options in modern browsers, specifying which origins may embed your page in iframes. Missing frame-ancestors with no child-src fallback generates an issue — clickjacking protection may rely solely on X-Frame-Options if present.

Pair with clickjacking test when framing policy is security critical. CSP frame-ancestors 'none' is stronger than SAMEORIGIN in multi-origin embedding scenarios.

Content-Security-Policy-Report-Only sends violation reports without blocking — useful for staging policy rollouts. reportOnly true in results means only Report-Only header appeared without enforcing CSP.

Production sites should deploy enforcing policies after Report-Only validation. Monitoring report-uri or report-to endpoints catches violations during transition.

Grade A requires high heuristic score — typically strict sources without unsafe tokens or wildcards. Grade B and C indicate partial protections with notable gaps. D and F reflect missing core directives or dangerous unsafe tokens.

Grades approximate deployment maturity — not formal penetration test verdicts. Manual review of directives object remains essential for nonce uniqueness and third-party script allowlists.

Security headers checker scores five header categories at presence level with composite 0–100 score. CSP header checker dives exclusively into Content-Security-Policy parsing and weakness detection.

Run composite checker for executive dashboards. Run CSP checker when engineers tune script-src during XSS remediation sprints.

CDNs and edge workers inject CSP at different layers — origin versus edge policies may differ. Test the public URL users hit, including www versus apex variants.

Subresource responses carry separate CSP for embedded contexts — this tool analyzes the top-level document response only.

We fetch publicly reachable URLs you submit with a standard tool user agent. Test only sites you own or are authorized to assess. Fetch results reflect one path at query time.

Copied policy strings may contain internal domain names — sanitize before sharing in public tickets.