CSP Analyzer
Paste a Content-Security-Policy (or report-only) header value. The analyzer extracts directives and flags such as:
unsafe-inline,unsafe-evalnonce-*,strict-dynamicdefault-src,script-src,object-src
Each payload category is marked viable, maybe, or blocked with short exploitation notes.
How to use results
- Prefer categories marked viable when choosing templates.
- Combine with the filter profile: CSP may block inline script while still allowing certain SVG or DOM vectors.
- Re-test after any CSP change on the target application.