Free CSP Checker & Evaluator
A Content-Security-Policy only helps if it's actually strong. Most checkers just tell you whether the header exists. We evaluate its effectiveness, scoring it out of 100 and calling out the directives that quietly defeat its XSS protection.
Unsafe Directives
Flags 'unsafe-inline' and 'unsafe-eval' in script-src, which let injected scripts run despite the policy.
Wildcards & Gaps
Detects wildcard/scheme sources and missing object-src, base-uri, and frame-ancestors directives.
Strength Score
Get a 0-100 effectiveness score with a clear verdict on whether your policy meaningfully mitigates XSS and injection.
Presence isn't protection
Many sites ship a CSP that looks reassuring but contains 'unsafe-inline'or a wildcard script-src, which neutralizes the very protection CSP is meant to provide. We parse the policy directive by directive and tell you whether it would actually stop an attacker.
A policy with no high-severity gaps is marked effective, with its score shown.
Frequently Asked Questions About Content-Security-Policy
What is a Content-Security-Policy (CSP) checker?
A CSP checker analyzes the Content-Security-Policy header a site sends and reports how well it protects against cross-site scripting and injection. Unlike tools that only confirm the header is present, ours parses the policy directive by directive and scores how effective it actually is.
Why is having a CSP not enough on its own?
A policy can exist and still provide almost no protection. Common weaknesses such as unsafe-inline in script-src, a wildcard source, or a missing object-src let injected scripts run anyway. Presence is not protection, which is why we evaluate effectiveness rather than just checking that the header is set.
What makes a Content-Security-Policy weak?
The biggest issues are 'unsafe-inline' and 'unsafe-eval' in script-src (which allow inline and string-evaluated code), wildcard or scheme sources like * or https: (which allow scripts from anywhere), and data: in script-src. Missing object-src 'none', base-uri, and frame-ancestors directives also weaken the policy. We flag each of these.
How is the CSP strength score calculated?
We start at 100 and subtract points for each weakness found, weighted by how much it undermines the policy, then return a 0-100 score. A policy with no high-severity gaps is marked effective. The result lists every issue so you know exactly what to tighten.
Is the CSP checker free?
Yes, it is free with no registration. For a complete audit that also covers cookie security, CORS, full security headers, and SSL/TLS, run a full ScanTower scan from the link below.
Want the Complete Picture?
FREEThis CSP Check is great for a quick check, but our Full Security Scan gives you a comprehensive security audit in one go.