CSP Analyzer
Analyze Content Security Policy headers locally, flag risky directives, and copy a hardened starter policy.
CSP analyzer workspace
Analyze a CSP header and generate a hardened starter policy locally.
CSP input
Hardened starter policy
CSP score
Output
Policy needs attention
Review the checks below and copy the hardened starter policy when it fits your app.
Default source
PassDefault fallback is present.
Inline script risk
CheckAvoid unsafe-inline, unsafe-eval, wildcard, and plain HTTP script sources when possible.
Object embedding
PassPlugins are disabled.
Base URI
PassBase URL changes are constrained.
Frame protection
PassFrame ancestors are controlled by CSP.
Form action
CheckAdd form-action to restrict form submissions.
Mixed content
CheckAdd upgrade-insecure-requests on HTTPS sites.
Wide media sources
PassImage sources do not use wildcard or HTTP.
Parsed directives
Questions
Can I paste raw HTTP response headers?
Yes. The analyzer extracts the Content-Security-Policy header from raw response headers or accepts a standalone CSP value.
Can a CSP break my site?
Yes. CSP can block scripts, styles, images, fonts, forms, frames, analytics, and API calls. Test important pages before deploying a stricter policy.
Is the score a full security audit?
No. The score highlights common CSP risks and missing directives, but it is not a replacement for a full security review.
Does Utilumo upload my input?
No. This tool is designed for local browser processing and does not send your input to a server.
Do I need an account?
No. Utilumo tools are built to work without accounts or sign-in.