What is this?
Content-Security-Policy is the browser-level filter that decides which scripts, styles,
images and connections the page may load. A broken CSP (with 'unsafe-inline',
missing frame-ancestors, or a single overbroad host) reduces the protection
against XSS, clickjacking and data exfiltration to almost zero. The validator parses an
existing header and reports the concrete weaknesses.
Two modes: paste an existing header string for a fully browser-local check, or hand in an https URL - our server fetches the response, extracts the CSP header and the related security headers, and the parsing still runs locally.
When do I need it?
Use as a sanity check before shipping a new CSP, after a CMS or theme update, when migrating
from CSP Level 2 to Level 3 (strict-dynamic, hash sources, trusted types), or
to audit a third-party site you embed via iframe. The generator next door builds a fresh
policy from scratch.