Skip to content
← Docs

CSP Analyzer

CSP Analyzer

Paste a Content-Security-Policy (or report-only) header value. The analyzer extracts directives and flags such as:

  • unsafe-inline, unsafe-eval
  • nonce-*, strict-dynamic
  • default-src, script-src, object-src

Each payload category is marked viable, maybe, or blocked with short exploitation notes.

How to use results

  • Prefer categories marked viable when choosing templates.
  • Combine with the filter profile: CSP may block inline script while still allowing certain SVG or DOM vectors.
  • Re-test after any CSP change on the target application.