Free Content Security Policy (CSP) Evaluator
Paste a Content-Security-Policy and get an A-F grade · with specific fixes for unsafe-inline, unsafe-eval, wildcards, and missing directives.
Frequently asked
What makes a CSP weak?
The most common weaknesses are 'unsafe-inline' and 'unsafe-eval' in script-src (they defeat most XSS protection), wildcard * sources, missing object-src 'none', and no default-src fallback. The evaluator flags each and explains the fix.
Is my policy uploaded anywhere?
No. The evaluator parses and grades the policy entirely in your browser. Nothing is sent to a server.
Run a full security scan →