About CSP Builder and Analyzer
Parses and analyzes a Content Security Policy without crawling a site or transmitting the policy. It catches duplicate directives, malformed keywords, ineffective none expressions, broad script sources, deprecated reporting syntax, and common missing restrictions. Exports are available for a raw response header, HTML meta tag, Nginx, and the globalHeaders section used by Azure Static Web Apps.
- Understands current CSP Level 3 directive names while retaining unknown directives for review.
- Explains each finding without claiming that static analysis can prove a deployed application is secure.
- Includes a conservative static-site baseline and a nonce-based strict policy template.
- All policy text and generated configuration remain in the browser.
Frequently Asked Questions
- Does a clean result mean the site is secure?
- No. The analyzer checks policy structure and known risky patterns. Only runtime reporting and application testing can show whether the policy permits required resources or blocks real attack paths.
- Can I use the meta tag instead of a response header?
- Only when the policy uses directives supported in meta delivery. Directives such as frame-ancestors and sandbox must be delivered in an HTTP response header.
More Web Tools Tools
All Web Tools toolsWeb Tools
Color Picker
Pick colors and get hex, RGB, HSL values.
Web Tools
HTTP Status Code Checker
Check any URL's HTTP status code and headers.
Web Tools
Image to Base64 Converter
Convert images to Base64 data URLs for direct embedding in HTML, CSS, or JSON.
Web Tools
HTML Encoder
Encode special characters as HTML entities.