CSP Header Validator

Paste a Content-Security-Policy header value to validate its directives and source values in one pass. Detects risky settings like unsafe-inline, a missing default-src fallback, and typos in directive names, and shows every directive's allowed sources in a visual breakdown.

Tips

  • CSP is normally delivered as an HTTP response header, but it can also be set via a <meta http-equiv="Content-Security-Policy"> tag (though directives like report-uri have no effect there).
  • Before rolling CSP out in production, try the Content-Security-Policy-Report-Only header first — it only collects violation reports, letting you gauge the impact on existing functionality without breaking anything.
  • Wildcards (*) and 'unsafe-inline' make development easier, but they undercut most of CSP's XSS protection. Always tighten a loose policy before shipping to production.
  • Repeating the same directive twice does not merge the values — only the first occurrence takes effect. To add or override sources, keep everything in a single directive.
  • Your browser's DevTools console prints blocked resources as a red "Refused to load..." message, so it is the first place to check when debugging a CSP that is too strict.

FAQ

CSP tells the browser exactly which sources are allowed to supply scripts, images, styles, and other resources on the page. Anything not on the allowlist — including inline scripts — gets blocked from loading or executing, which dramatically cuts the risk of an XSS attack running an attacker-controlled script.

Yes — nonce sources ('nonce-') and hash sources ('sha256-') both work. By adding a nonce attribute to a script tag that matches the value in the response header, you can allow that specific tag while still blocking any other, unauthorized inline script.

CSP blocked a resource because its origin was not on the allowlist. The browser console shows a message like "Refused to load...because it violates the following Content Security Policy directive", which names the exact origin — add that origin to the corresponding directive's allowlist to fix it.

Usually not. default-src only acts as a fallback for directives you have not set explicitly. High-risk directives like script-src and object-src should each be configured explicitly and strictly, since they represent a much larger attack surface than most other directives.

Both specify where the browser should send violation reports, but report-uri is the older directive that points directly to a reporting URL. report-to is based on the newer Reporting API and instead references a named group defined in a separate Report-To header. Because browser support for the two differs, it is common to specify both for compatibility.
ツールくん

Side Note — Why CSP exists: escaping alone was never enough to stop XSS

Content Security Policy traces back to an idea Robert Hansen floated around 2004, which Mozilla engineer Brandon Sterne then turned into a formal specification starting around 2008, leading to the first W3C Candidate Recommendation (Level 1) in 2012. Cross-site scripting (XSS) was one of the most pressing web vulnerabilities of the era, and it became clear that relying solely on developer diligence — "escape every output correctly" — was not a robust enough defense. CSP was designed as a defense-in-depth mechanism that lets the browser itself enforce restrictions on where scripts can come from.

CSP Level 2 introduced nonce- and hash-based allowances for inline scripts, letting sites permit specific inline code without resorting to 'unsafe-inline'. Level 3 then added 'strict-dynamic', which automatically trusts scripts dynamically loaded by an already-trusted script, dramatically cutting the maintenance burden of host-based allowlists on large sites.

Google has continued rolling out strict, nonce-based CSP across its own large-scale services, and published research from that effort concluding that host-based allowlists are frequently bypassable, while nonce- or hash-based policies are far more effective in practice. That finding is now widely cited as CSP best practice, underscoring that the real design decision is not just "which values to ban" but "which allowlisting strategy to build on" in the first place.

→ Browse all trivia