About CSP Builder and Analyzer

Parses and analyzes a Content Security Policy without crawling a site or transmitting the policy. It catches duplicate directives, malformed keywords, ineffective none expressions, broad script sources, deprecated reporting syntax, and common missing restrictions. Exports are available for a raw response header, HTML meta tag, Nginx, and the globalHeaders section used by Azure Static Web Apps.

  • Understands current CSP Level 3 directive names while retaining unknown directives for review.
  • Explains each finding without claiming that static analysis can prove a deployed application is secure.
  • Includes a conservative static-site baseline and a nonce-based strict policy template.
  • All policy text and generated configuration remain in the browser.

Frequently Asked Questions

Does a clean result mean the site is secure?
No. The analyzer checks policy structure and known risky patterns. Only runtime reporting and application testing can show whether the policy permits required resources or blocks real attack paths.
Can I use the meta tag instead of a response header?
Only when the policy uses directives supported in meta delivery. Directives such as frame-ancestors and sandbox must be delivered in an HTTP response header.

More Web Tools Tools

All Web Tools tools