Analyses the Content-Security-Policy header: parses directives and identifies dangerous configurations.
101IP parses the Content-Security-Policy header from any website: displays all directives, highlights dangerous configurations, and grades the policy from A+ to F.
eval() and dynamic code execution;The 'unsafe-inline' directive allows execution of any inline scripts and styles. This is extremely dangerous because an attacker can inject malicious code through an XSS vulnerability. Instead, it is recommended to use strict nonces or hashes for individual scripts, which allow only verified inline content.
A grade of F means the policy is absent or contains critical vulnerabilities — for example, default-src * or both unsafe-inline and unsafe-eval are permitted. You should immediately configure a CSP header that restricts scripts to trusted sources only and uses nonces or hashes for any inline content.
Most likely your script-src directive does not include the Google Analytics domains (e.g. www.googletagmanager.com). Add those domains to your allowed sources. CSP Analyzer will show which scripts are blocked so you can adjust the directive and restore analytics without weakening the overall policy.