Is anything uploaded?

No. Parsing happens locally and clears on refresh.

Do you verify hashes/nonces?

No. This flags risky directives but does not compute hashes or validate nonces against content.

web validator

Content Security Policy Validator

Validate CSP headers client-side—check directives, missing values, and risky flags.

Results

Processing…

Status: Processing...
Details: Processing...
Issues: Processing...
Directives: Processing...

How to use this validator

Paste the CSP header string.
Run validate to check for required directives, empty values, and risky flags.
If issues are flagged (missing default-src, unsafe-inline), adjust and re-run.

Rules & checks

Ensures default-src is present.

Flags directives without values (except upgrade-insecure-requests and block-all-mixed-content).

Warns on script-src 'unsafe-inline'.

Identifies unknown directives.

Inputs explained

CSP header
Paste the full Content-Security-Policy header. Keep hashes/nonces intact; avoid production secrets in sample values.

When to use it

QA CSP headers before launch
Review third-party CSP snippets
Support and security teams triaging reports

Common errors

Missing default-src
Empty directive values
Use of 'unsafe-inline' without need
Unknown directives

Limitations

Structure and basic risk checks only; does not fetch resources or verify hashes/nonces.
Does not validate hash/nonce correctness against actual content.

Tips

Prefer hashes/nonces over 'unsafe-inline'
Set frame-ancestors to control embedding
Use report-to/report-uri to monitor violations

Examples

Valid CSP

default-src 'self'; script-src 'self' cdn.example.com; object-src 'none'; frame-ancestors 'none'

Missing default-src

script-src 'self' -> Flagged (default-src required)

Unsafe inline

script-src 'self' 'unsafe-inline' -> Warning (prefer hashes/nonces)

Deep dive

This CSP validator checks default-src presence, empty directives, and risky flags like 'unsafe-inline' entirely in your browser.

Use it to harden Content-Security-Policy headers pasted from DevTools or server configs before you deploy.

FAQs

Is anything uploaded?: No. Parsing happens locally and clears on refresh.
Do you verify hashes/nonces?: No. This flags risky directives but does not compute hashes or validate nonces against content.

Related validators

web

URL Validator

Validate HTTP/HTTPS URLs locally—parse host/path and catch malformed links before publishing or sending to APIs.

security

Hash Generator (MD5 / SHA1 / SHA256)

Generate MD5, SHA1, or SHA256 hashes locally—no data leaves your browser.

web

HTTP Security Headers Validator

Validate core security headers (HSTS, nosniff, frame options, referrer policy, permissions policy) entirely client-side.

web

CORS Header Validator

Validate CORS response headers locally—origins, methods, headers, credentials, and max-age.

All validation happens in your browser. No data is sent, logged, or stored.

Structure and basic risk checks only; does not fetch resources or verify hashes/nonces.