SitePrivacyScore
Home/Tools/CSP Header Checker
Free Privacy Resource

CSP Header Checker

Analyze your website's primary defense against Cross-Site Scripting (XSS). Build and verify a robust Content Security Policy.

Use this guide to understand the issue, validate the problem manually, and run the live scanner when you are ready. Get results in under 30 seconds.

Run the scanner for this issue

The fastest way to confirm this issue on a live domain is to run the dedicated scanner. It checks the technical signal directly, then shows the finding in plain language with remediation context.

Generate CSP HeaderRun Full Privacy Audit

Why teams search for this check

Search intent around this topic usually comes from one of three pressures: a buyer or procurement questionnaire, a legal or compliance review, or an engineering team trying to validate a risky browser behavior before launch.

This page is written to answer that intent directly, without generic filler. It explains what the issue means technically, how to confirm it manually, and what a defensible fix looks like in production.

The power of Content Security Policy

A Content Security Policy (CSP) is a critical HTTP response header that dictates exactly which dynamic resources are allowed to load and execute on a given web page.

By maintaining a strict whitelist of approved domains for scripts, styles, images, and fonts, a strong CSP effectively neutralizes the threat of unauthorized code injection, data exfiltration, and malicious framing.

Cross-Site Scripting (XSS) remains one of the most prevalent and dangerous web vulnerabilities. A well-configured CSP acts as a powerful safety net, preventing attackers from executing harmful scripts even if they find an injection flaw in your application. In practice, teams usually do not lose trust because of a single configuration detail. They lose trust when the issue suggests weak governance, undocumented vendors, avoidable data sharing, or a disconnect between legal claims and live technical behavior.

What this tool specifically detects

  • Whether your current asset model needs a restrictive Content-Security-Policy rather than open-ended script loading.
  • The resource categories that usually need explicit allowlisting, including scripts, styles, fonts, frames, and connections.
  • Common CSP design mistakes such as relying on unsafe-inline or allowing broad wildcard sources.

When this becomes critical

  • You process forms, account actions, payments, or embedded third-party content.
  • You need demonstrable XSS mitigation for customer trust or procurement reviews.
  • Your application is growing and script governance is becoming harder to manage manually.

How this check works

Using our CSP tool, you can check your existing policy or generate a new, secure configuration by specifying exactly which trusted sources are permitted to deliver content to your visitors' browsers.

The goal is not to create noise. The goal is to surface the signal that matters first, show you how the issue normally appears in production, and help you decide whether you need a quick fix, a deeper audit, or a broader policy update.

Real-world examples that trigger this finding

A marketing widget injects inline JavaScript, so the team keeps unsafe-inline permanently and weakens the policy.

An analytics change adds a new connect-src endpoint and silently breaks data collection in production.

A site uses third-party checkout or chat tools without modeling their frame-src or script-src requirements.

How to manually detect this issue

  • List every external script, style, font, image, frame, and API endpoint used by the page.
  • Open the browser console and review CSP violations after enabling report-only mode.
  • Inspect inline scripts and event handlers that would need nonces or hashes instead of unsafe-inline.

How to fix it

  • Start from a default-src none or tight default and explicitly allow only required sources.
  • Replace unsafe-inline with nonces or hashes where possible.
  • Use report-only mode first, then promote the policy after reviewing violations and business-critical flows.

Common mistakes teams make

  • Copying a generic CSP example from another stack.
  • Allowing entire vendor domains when only one endpoint is needed.
  • Forgetting to update CSP after marketing or product teams add a new dependency.

Related Tools and Guides

Security Headers ScanReferrer Policy CheckThird-Party RequestsLearn how Content Security Policy worksLearn how CSP fits into security headers

Frequently Asked Questions

What is the difference between CSP and XSS filters?+
Legacy XSS filters attempted to guess if a script was malicious based on heuristics. CSP is a declarative policy where you explicitly state what is allowed. CSP is vastly superior and supported by all modern browsers.
What does unsafe-inline do?+
It allows the execution of inline <script> tags and javascript: URLs. This is extremely dangerous and defeats the primary purpose of a CSP, as it allows attackers to inject scripts directly into the HTML.
What is a CSP nonce?+
A nonce is a randomly generated token unique to each page load. You include it in your CSP header and in your inline <script> tags. The browser only runs scripts with a matching nonce, allowing safe inline code execution without 'unsafe-inline'.
Can I test my CSP before deploying it?+
Yes. You can use the 'Content-Security-Policy-Report-Only' header instead. It won't block any content, but it will send violation logs to a specified endpoint so you can see what would have been blocked.
What should I do if my CSP blocks my analytics?+
You need to add the domain of your analytics provider (e.g., https://www.google-analytics.com) to the `script-src` and `connect-src` directives in your CSP configuration.

Need a broader privacy review?

Run the full SitePrivacyScore audit when you need more than a single point-in-time check. It combines trackers, cookies, headers, consent signals, and remediation guidance in one report.

Run Full Privacy AuditBrowse All Free Tools

For deeper runtime checks, run the full privacy audit →