CSP Builder / Checker
Paste a Content-Security-Policy to instantly flag risky directives (unsafe-inline, wildcards, …) and get a stricter starter policy. Everything runs in your browser.
Everything runs in your browser. Your input is never sent to a server.
Paste a CSP above to see the analysis.
Strict starter policy
Use this as a base and add only the sources your site actually needs.
default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; form-action 'self'; upgrade-insecure-requests
How to use
- 1
Copy the Content-Security-Policy value from your site's response headers and paste it above.
- 2
Each directive is parsed and risky values are listed with a severity.
- 3
Start from the strict policy below and add only the sources your site actually needs.
Why it matters
CSP is a key layer for cutting down XSS impact — but allowing unsafe-inline or * guts most of its value. The rule of thumb: start from a strict default-src 'self' and add only the minimal sources you need.
FAQ
QIs my pasted policy sent anywhere?
A
No. All parsing runs in your browser (JavaScript); your input is never sent to a server.
QWhy is unsafe-inline dangerous?
A
Allowing inline scripts/styles means XSS-injected code can run too, which defeats much of CSP's protection. Move to nonces or hashes instead.