What is a CSP evaluator?

A CSP evaluator analyzes Content-Security-Policy HTTP headers to find misconfigurations, bypass opportunities, and security weaknesses. It checks for dangerous directives like unsafe-inline and unsafe-eval, known JSONP bypass domains, and missing security directives.

How can unsafe-inline in CSP be bypassed?

When unsafe-inline is present in script-src, an attacker can execute arbitrary JavaScript via inline tags, event handlers like onerror, and SVG onload attributes. This effectively disables CSP's XSS protection.

What is a good CSP grade?

An A+ grade means no findings were detected. A secure CSP should include script-src 'self' without unsafe-inline or unsafe-eval, object-src 'none', base-uri 'self', form-action 'self', and frame-ancestors 'none'.

CSP Evaluator

Analyze Content-Security-Policy headers for weaknesses and bypass opportunities. Detects unsafe-inline, unsafe-eval, JSONP bypass domains, missing directives, and generates secure CSP recommendations. Grades A+ to F.

X LinkedIn Reddit

Content-Security-Policy Header Value

Related Tools

HTTP Header Analyzer

Analyze HTTP headers for security issues with A+ to F grading.

Security Header Scanner

Scan any URL for missing security headers with A+ to F grade.

WAF Bypass Transformer

Transform payloads to evade Web Application Firewalls.

CORS Misconfiguration Scanner

Test URLs for CORS misconfigurations with exploit code.

$loading...