CSP Header Validator
Paste a Content-Security-Policy header value to validate its directives and source values in one pass. Detects risky settings like unsafe-inline, a missing default-src fallback, and typos in directive names, and shows every directive's allowed sources in a visual breakdown.
Tips
- CSP is normally delivered as an HTTP response header, but it can also be set via a
<meta http-equiv="Content-Security-Policy">tag (though directives like report-uri have no effect there). - Before rolling CSP out in production, try the Content-Security-Policy-Report-Only header first — it only collects violation reports, letting you gauge the impact on existing functionality without breaking anything.
- Wildcards (*) and 'unsafe-inline' make development easier, but they undercut most of CSP's XSS protection. Always tighten a loose policy before shipping to production.
- Repeating the same directive twice does not merge the values — only the first occurrence takes effect. To add or override sources, keep everything in a single directive.
- Your browser's DevTools console prints blocked resources as a red "Refused to load..." message, so it is the first place to check when debugging a CSP that is too strict.
FAQ
Side Note — Why CSP exists: escaping alone was never enough to stop XSS
Content Security Policy traces back to an idea Robert Hansen floated around 2004, which Mozilla engineer Brandon Sterne then turned into a formal specification starting around 2008, leading to the first W3C Candidate Recommendation (Level 1) in 2012. Cross-site scripting (XSS) was one of the most pressing web vulnerabilities of the era, and it became clear that relying solely on developer diligence — "escape every output correctly" — was not a robust enough defense. CSP was designed as a defense-in-depth mechanism that lets the browser itself enforce restrictions on where scripts can come from.
CSP Level 2 introduced nonce- and hash-based allowances for inline scripts, letting sites permit specific inline code without resorting to 'unsafe-inline'. Level 3 then added 'strict-dynamic', which automatically trusts scripts dynamically loaded by an already-trusted script, dramatically cutting the maintenance burden of host-based allowlists on large sites.
Google has continued rolling out strict, nonce-based CSP across its own large-scale services, and published research from that effort concluding that host-based allowlists are frequently bypassable, while nonce- or hash-based policies are far more effective in practice. That finding is now widely cited as CSP best practice, underscoring that the real design decision is not just "which values to ban" but "which allowlisting strategy to build on" in the first place.