Application Security
Content Security Policy Validator
Paste a CSP header to validate syntax, detect unsafe-inline and unsafe-eval usage, check nonce configuration, and identify weaknesses in the policy.
No data is transmitted โ everything runs locallyTool
About this tool
Content Security Policy Validator
The Content Security Policy Validator checks CSP header syntax, detects unsafe-inline and unsafe-eval, validates nonce configuration, and identifies common policy weaknesses.
โข Validate a CSP before deploying to production to catch syntax errors
โข Check whether unsafe-inline can be replaced with nonces in the existing policy
โข Identify CSP directives that still allow XSS despite the policy being present
โข Compare Content-Security-Policy and Content-Security-Policy-Report-Only behavior
Affiliate disclosure
Credential and secrets management for teams. 1Password provides enterprise password management and secrets infrastructure for development teams.
View web app credentials with 1Password
External site ยท Independent provider ยท We may receive a commission ยท Not a recommendation
FAQ
What does this tool tell you?
The Content Security Policy Validator checks CSP header syntax, detects unsafe-inline and unsafe-eval, validates nonce configuration, and identifies common policy weaknesses.
What affects the result most?
CSP syntax: semicolon-separated directives, space-separated source lists. unsafe-inline: disables script/style injection protection โ avoid unless using nonces. Nonces: script-src 'nonce-{random}' โ allows specific inline scripts while blocking others.
How should I use the result?
Treat the tool's output as a first-pass check, not a proof of correctness. A clean pass means no issues in the patterns this tool recognizes; a failure points to a specific problem you can investigate in your source. The underlying spec is the authoritative source for edge cases.
Related tools