Analyze Content-Security-Policy headers into directives, source expressions, and conservative security review hints without sending data to a server.
Continue with a related workflow or open the next tool that usually follows this task.
Use this workflow when a CSP blocks expected browser behavior, allows risky sources, or needs a readable review before a deployment change.
OpenRelated toolGenerate MD5, SHA-1, SHA-256, and SHA-512 checksums locally.
OpenRelated toolDecode JWT header, payload, claims, and expiration locally.
OpenRelated toolSafely escape <, >, &, and quotes to entities or decode them — processing stays in your browser.
OpenPaste a Content-Security-Policy header value or full header line.
Review the directive and source expression counts.
Check structured findings for risky source expressions and duplicate directives.
Copy or download the normalized policy for deployment notes.
Use the findings as review hints, not as a complete security audit.
Inspect CSP headers copied from browser DevTools before changing a production deployment.
Find unsafe-inline, unsafe-eval, wildcard, data:, and HTTP source expressions while tightening script or image policies.
Normalize long CSP strings into one directive per line for incident notes and pull request reviews.
Review report-only CSP headers before promoting them to enforcement mode.
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; img-src https: data:Header name: content-security-policy
Directives: 3
Source expressions: 5
Findings: 1
High-risk findings: 0
Warnings: 1
Findings:
- Warning: data: source in img-src
Normalized policy:
default-src 'self';
script-src 'self' https://cdn.example.com;
img-src https: data:;default-src *; script-src 'unsafe-inline' 'unsafe-eval' http://cdn.example.comHeader name: none
Directives: 2
Source expressions: 4
Findings: 4
High-risk findings: 3
Warnings: 4
Findings:
- High: Wildcard source in default-src
- High: unsafe-inline in script-src
- High: unsafe-eval in script-src
- Warning: HTTP source in script-srcThe parser strips a Content-Security-Policy or Content-Security-Policy-Report-Only prefix when present.
Policy directives are split on semicolons and normalized to lowercase directive names.
Source expressions are preserved so copied hostnames and tokens remain visible.
Duplicate directives and empty directive segments are reported as findings instead of crashing.
Risk hints are conservative checks for common source expressions such as unsafe-inline, unsafe-eval, wildcard, data:, and HTTP sources.
A. No. The analyzer reports conservative review hints. It does not prove that a policy is secure or complete.
A. No. Paste the header value or full header line manually. The tool runs locally in your browser and does not fetch URLs.
A. It highlights common issues such as missing default-src, unsafe-inline, unsafe-eval, wildcard sources, data: sources, HTTP sources, and duplicate directives.
Use these focused guides when you need a practical workflow before opening the tool.
Use this workflow when a CSP blocks expected browser behavior, allows risky sources, or needs a readable review before a deployment change.
Workflow guideUse this workflow before a release when you need to confirm that response headers include practical browser security signals without sending internal URLs to a remote scanner.
Explore more developer tools
Generate MD5, SHA-1, SHA-256, and SHA-512 checksums locally.
Decode JWT header, payload, claims, and expiration locally.
Safely escape <, >, &, and quotes to entities or decode them — processing stays in your browser.
Parse raw HTTP request or response headers into grouped, normalized debugging output.
Inspect pasted HTTP response security headers and conservative review hints.
Parse URLs to extract protocol, domain, path, and query parameters. Instant breakdown.
CSP Header Analyzer: Paste a CSP header from DevTools, curl, CDN logs, or deployment notes to inspect directives and common risk hints locally.
Standard: Processing instructions and options
💡 Live Mode: Results update automatically as you type.