CSP Test
Check whether site uses the CSP headers to defend against code injection, XSS, and clickjacking.
Powered by Geekflare Website Load Time API
What Is a CSP Test?
CSP Test checks whether a page sends an enforced Content-Security-Policy header and evaluates the policy directives for common risky patterns.
What the Tool Checks
| Check | Why It Matters |
|---|---|
| Content-Security-Policy | Confirms the site sends an enforced browser security policy. |
| Report-only mode | Useful for testing, but it does not enforce restrictions by itself. |
| script-src risks | Flags unsafe-inline, unsafe-eval, wildcard sources, data:, and insecure HTTP sources. |
| Baseline directives | Highlights missing default-src, object-src, and base-uri directives. |
How to Read the Results
If the result is Enforced, the page returned Content-Security-Policy.
If the status is Review, the policy exists but includes directives or source values that should be tightened.
If the result is Missing or Report-only, add an enforced Content-Security-Policy header before treating the page as protected.
A strong CSP is application-specific. Start with a restrictive default-src 'self', avoid inline/eval script allowances where possible, set object-src 'none', and add base-uri and frame-ancestors when they fit the app.
Frequently Asked Questions
Content-Security-Policy tells browsers which scripts, styles, images, frames, and other resources may load. A good CSP reduces the impact of cross-site scripting and content injection bugs.
The tool checks for an enforced Content-Security-Policy header and flags risky patterns such as unsafe-inline, unsafe-eval, data: in sensitive directives, wildcard sources, insecure HTTP sources, and missing baseline directives.
No. Report-only mode is useful for testing, but it does not enforce restrictions. This tool treats report-only without an enforced CSP as needing review.