CSP header validator

Per CSP Level 3 (W3C WD)

Validate an existing Content-Security-Policy header via paste or URL lookup against CSP Level 3 and BSI IT-Grundschutz.

What is this, and when do I need it?

What is this?

Content-Security-Policy is the browser-level filter that decides which scripts, styles, images and connections the page may load. A broken CSP (with 'unsafe-inline', missing frame-ancestors, or a single overbroad host) reduces the protection against XSS, clickjacking and data exfiltration to almost zero. The validator parses an existing header and reports the concrete weaknesses.

Two modes: paste an existing header string for a fully browser-local check, or hand in an https URL - our server fetches the response, extracts the CSP header and the related security headers, and the parsing still runs locally.

When do I need it?

Use as a sanity check before shipping a new CSP, after a CMS or theme update, when migrating from CSP Level 2 to Level 3 (strict-dynamic, hash sources, trusted types), or to audit a third-party site you embed via iframe. The generator next door builds a fresh policy from scratch.

In paste mode everything runs in your browser. The server does not see the header.

Examples: ·

Please paste a CSP header or enter a URL.