Utilumo
LightDarkSystem

CSP Analyzer

Analyze Content Security Policy headers locally, flag risky directives, and copy a hardened starter policy.

CSP analyzer workspace

Analyze a CSP header and generate a hardened starter policy locally.

CSP input

Hardened starter policy

CSP score

Output

Score: 82Directives: 6Passed: 5Warnings: 3Missing: 0Processing: Local

Default source

Pass

Default fallback is present.

Inline script risk

Check

Avoid unsafe-inline, unsafe-eval, wildcard, and plain HTTP script sources when possible.

Object embedding

Pass

Plugins are disabled.

Base URI

Pass

Base URL changes are constrained.

Frame protection

Pass

Frame ancestors are controlled by CSP.

Form action

Check

Add form-action to restrict form submissions.

Mixed content

Check

Add upgrade-insecure-requests on HTTPS sites.

Wide media sources

Pass

Image sources do not use wildcard or HTTP.

Parsed directives

default-src'self'
script-src'self' 'unsafe-inline'
img-src'self' data:
object-src'none'
base-uri'self'
frame-ancestors'none'
Files are processed in your browser. No data is uploaded.

Questions

Can I paste raw HTTP response headers?

Yes. The analyzer extracts the Content-Security-Policy header from raw response headers or accepts a standalone CSP value.

Can a CSP break my site?

Yes. CSP can block scripts, styles, images, fonts, forms, frames, analytics, and API calls. Test important pages before deploying a stricter policy.

Is the score a full security audit?

No. The score highlights common CSP risks and missing directives, but it is not a replacement for a full security review.

Does Utilumo upload my input?

No. This tool is designed for local browser processing and does not send your input to a server.

Do I need an account?

No. Utilumo tools are built to work without accounts or sign-in.