CSP Validator

Validate a Content Security Policy string against the W3C spec. Flags unsafe directives, missing protections, and syntax errors.

Paste your CSP string

or fetch from live URL

Paste a CSP string or enter a URL to validate

Validates a Content Security Policy string against the W3C CSP Level 3 spec. Scores your policy 0-100. Flags unsafe-inline in script-src, missing frame-ancestors, missing object-src, and wildcard sources. Paste a CSP string or enter a URL to fetch the live policy.

You might also need

    🛡CSPFixer
Scan your live URL and generate a working CSP🔒HeadersFixer
Scan all security headers and get the exact fix⚠️Mixed Content Fixer
Find HTTP resources on your HTTPS page
  

Done with this tool?
20 HTTP checks before you ship — security, CORS, cache, redirects, staging.
Pre-Launch Checklist →

📖 HttpFixer Blog — fix guides, explainers, and references →

About CSP Validator

What does CSP Validator check?

CSP Validator parses your Content Security Policy string and checks it against the W3C spec. It flags unsafe directives like unsafe-inline and unsafe-eval in script-src, missing object-src and default-src, wildcard sources, and HTTP sources that should be HTTPS.

What is unsafe-inline and why is it dangerous?

unsafe-inline in script-src allows any inline script tag to execute, including injected ones. It effectively disables XSS protection from CSP. Replace it with nonces or hashes for inline scripts you control.

What is the minimum viable CSP?

A baseline CSP should include default-src 'self', object-src 'none', base-uri 'self', and frame-ancestors 'none'. These four directives block the most common injection vectors without breaking most sites.

Can I fetch my CSP from a live URL?

Yes — enter your URL in the live fetch field and CSP Validator reads the Content-Security-Policy header from your actual server response. No proxy or backend is involved.