All Tools

Free CSP Checker — Test Content Security Policy Online

Test Content-Security-Policy headers on any URL — detect unsafe-inline, wildcard sources, and XSS gaps. Free Quick Check, no signup required.

Free online Quick Check — no signup required.

What This Tool Checks

  • Directive-level risk scoring
  • Bypass pattern detection
  • Stack-specific remediation

Why It Matters

A weak Content-Security-Policy can leave room for script injection, unsafe third-party behavior, or policy bypasses that look harmless until a real exploit path appears.

Best For

Best for teams validating CSP after adding new scripts, updating tag managers, tightening browser protections, or preparing an application for stronger XSS defenses.

What To Do Next

Use the output to decide whether your next move is policy cleanup, staged report-only deployment, or stack-specific remediation on the pages that matter most.

Frequently Asked Questions

What does a CSP checker test?

A CSP checker fetches the live Content-Security-Policy header from a URL and evaluates each directive for common weaknesses: unsafe-inline, wildcard sources, missing script-src, and incomplete default-src coverage that can leave XSS entry points open.

Is this CSP checker free?

Yes. Quick Check is free and requires no signup. Enter a URL, run the check, and review directive-level findings instantly.

What is a content security policy checker?

A content security policy checker reads the CSP HTTP response header and scores each directive against common XSS and injection risks. It helps teams validate policy strength after deployments, tag-manager changes, or framework updates without manual header inspection.

How do I use a free CSP checker online?

Paste the HTTPS URL you want to test, choose Quick Check mode, and submit. Vulnify fetches the live response headers and reports unsafe-inline usage, wildcard sources, missing directives, and stack-specific remediation guidance — no account required.

What is unsafe-inline in a Content Security Policy?

unsafe-inline permits inline scripts and styles to execute. It bypasses a core CSP defence and is the most common reason a policy fails to block cross-site scripting attacks. Removing it and using nonces or hashes is the recommended fix.

How do I add a Content Security Policy to my website?

Send a Content-Security-Policy HTTP response header from your server or add a meta http-equiv tag. Start in report-only mode to discover violations without blocking anything, then tighten directives incrementally. Our CSP fix guide covers staged deployment for common stacks.

What is the difference between CSP report-only and enforcement mode?

Content-Security-Policy-Report-Only logs policy violations without blocking resources — safe for initial rollout. Content-Security-Policy enforces the policy and blocks non-compliant resources. Teams typically test in report-only first, fix violations, then switch to enforcement.