CSP Evaluator
Evaluate your Content-Security-Policy header for misconfigurations and security risks. Runs locally in your browser.
AdSense
Top banner
Content-Security-Policy
Parsed Directives (8)
| Directive | Values |
|---|---|
| default-src | 'self' |
| script-src | 'self' 'unsafe-inline' https://cdn.example.com |
| style-src | 'self' 'unsafe-inline' |
| img-src | * |
| font-src | 'self' https://fonts.gstatic.com |
| connect-src | 'self' |
| frame-ancestors | 'none' |
| base-uri | 'self' |
Findings (7)
1 errors2 warningsErrorscript-src
'unsafe-inline' allows inline scripts, defeating much of CSP's protection against XSS.
Warningstyle-src
'unsafe-inline' in style-src allows inline styles. Consider using nonces or hashes.
Infoimg-src
Wildcard '*' allows images from any origin. Consider restricting.
Passframe-ancestors
frame-ancestors 'none' prevents the page from being framed.
Passbase-uri
base-uri is defined.
Warningobject-src
Missing object-src. Set to 'none' to prevent plugin-based attacks (Flash, Java).
Inforeport-uri
No reporting configured. Consider adding report-uri or report-to to monitor violations.
Was this page helpful?