Inspect Content-Security-Policy directives for unsafe sources, missing fallbacks, framing gaps, object-src, base-uri, and reporting coverage.
- Runs locally
- Category Developer & DevOps
- Best for Formatting, validating, shrinking, or inspecting code-adjacent text.
- form-action: missing form submission restriction
- reporting: no CSP violation reporting endpoint
What this tool does
CSP Policy Auditor reviews a pasted Content-Security-Policy header and explains the practical hardening gaps. It parses directives, lists sources, counts nonce and hash sources, and flags missing default-src, unsafe-inline, unsafe-eval, wildcard and data sources, weak object-src, missing frame-ancestors, missing base-uri, missing form-action, missing upgrade-insecure-requests, and absent reporting endpoints. The tool is useful when tightening a frontend app, debugging CSP rollout, reviewing third-party scripts, preparing security questionnaires, or comparing staging and production headers. It works locally and does not contact the target site. Export the results as Markdown, JSON, or CSV for issue trackers and security reviews.
Tool details
- Input
- Files + Text + Numbers
- The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
- Output
- Live result + Copy + Download
- The result area focuses on usable output, with copy, download, or preview actions when supported.
- Privacy
- Browser-side processing
- The main tool logic does not call an external API, so inputs normally stay in the current tab.
- Save / share
- Shareable URL state
- Key settings are encoded in the URL so another person can reopen the same setup.
- Performance budget
- Initial JS <= 118 KB
- No WASM budget is declared, keeping the tool quick to open on mobile.
- Best fit
- Developer & DevOps · Developer
- Category and role tags drive related tools, internal links, and quick fit checks.
How to use
-
1. Input
Paste or drop your content into the tool panel.
-
2. Process
Click the button. All processing is local in your browser.
-
3. Copy / Download
Copy the result or download to disk in one click.
How CSP Policy Auditor fits into your work
Use it in the small gaps between coding, reviewing, debugging, and shipping.
Developer jobs
- Formatting, validating, shrinking, or inspecting code-adjacent text.
- Preparing snippets for documentation, tickets, commits, or handoff.
- Checking a small payload quickly without switching tools.
Developer checks
- Run irreversible transforms like minify or obfuscate on a copy.
- Keep secrets out of pasted snippets unless the tool explicitly stays local.
- Use your normal tests or linter before shipping transformed code.
Good next steps
These links move the current task into a more complete workflow.
- 1 HTTP Security Header Auditor Audit raw response headers for HSTS, CSP, cookie flags, MIME sniffing, clickjacking, referrer, and permissions policy gaps. Open
- 2 HTML Form Extractor Upload or paste HTML and extract forms, methods, actions, fields, labels, required flags, autocomplete, password fields, and security risks. Open
- 3 HAR Performance Analyzer Upload a Chrome DevTools HAR file and get a local performance, cache, host, asset, status, and security-header report. Open
Real-world use cases
Harden a frontend app
Review current CSP sources before removing unsafe-inline, unsafe-eval, or broad wildcards.
Compare staging and production headers
Paste each policy and export the directive inventory for a release checklist.
Common pitfalls
Adding a CSP header that still allows wildcard script sources and unsafe-eval.
Forgetting frame-ancestors and relying only on older X-Frame-Options behavior.
Privacy
CSP headers can reveal vendor domains and internal asset hosts. Analysis stays in the browser.
FAQ
Tool combos
Folks in your role tend to reach for these alongside this tool.
- 555 Timer Calculator Astable f = 1.44/((R1+2R2)C) + monostable t = 1.1RC — pick R1, R2, C in Ω/kΩ and µF/nF, read frequency, duty cycle and pulse width — browser-only
- Add Line Numbers Number every line of pasted text — set start, step and separator, zero-pad to align, skip blanks, or strip numbers back off — browser-only
- AES Text Encryptor Encrypt & decrypt text with a password — AES-256-GCM + PBKDF2 via WebCrypto — 100% in your browser, nothing uploaded
- Affine Cipher Encoder & Decoder Encrypt and decrypt the ax+b affine cipher with live modular-inverse check, browser-only