CSP Analyzer — Content-Security-Policy Check Online

101IP parses the Content-Security-Policy header from any website: displays all directives, highlights dangerous configurations, and grades the policy from A+ to F.

What is checked

• 'unsafe-inline' — allows inline scripts and styles, the main XSS vector;
• 'unsafe-eval' — allows eval() and dynamic code execution;
• Wildcard * — allows loading resources from any host;
• data: URI — may be exploited to load malicious content;
• http: scheme — insecure HTTP sources on an HTTPS site;
• Missing directives — default-src, object-src, base-uri, frame-ancestors.

Grade scale

• A+ / A — strict policy, no critical issues;
• B / C — some weaknesses, improvements recommended;
• D / F — critical vulnerabilities, CSP provides little protection.