Question 1

What does this CSP evaluator check?

Accepted Answer

It parses every directive in your policy and flags known weaknesses: unsafe-inline in script-src (defeats CSP's main purpose), unsafe-eval (permits eval/new Function), wildcard (*) or overly-permissive sources (data:, https: alone), missing object-src 'none' (deprecated plugin exploit surface), missing frame-ancestors (clickjacking protection), and missing base-uri (base tag injection). Each issue is weighted by severity.

Question 2

What's a good CSP grade?

Accepted Answer

A: strict CSP with nonce-based script-src, no unsafe-* directives, frame-ancestors and object-src locked down. B: mostly strict with minor gaps (e.g., missing base-uri). C: hash- or nonce-less CSP with specific allowlisted sources but no unsafe-inline. D: contains unsafe-inline or unsafe-eval. F: wildcard script-src or no CSP at all. Most production apps land at C-D; aim for B or better.

Question 3

Why is `unsafe-inline` such a big deal?

Accepted Answer

`unsafe-inline` permits inline <script> tags and inline event handlers (onclick=). This is exactly what XSS attackers inject — so adding unsafe-inline to your CSP means your CSP provides zero XSS protection. The fix is to use nonce-based CSP (a per-response random value) or hash-based CSP (SHA of specific inline scripts). Both block injected scripts while allowing your legitimate ones.

Question 4

Why does my CSP need `frame-ancestors`?

Accepted Answer

frame-ancestors controls who can embed your site in an iframe. Without it (or X-Frame-Options), attackers can iframe your page into their site and trick users into clicking things they didn't intend (clickjacking). Set frame-ancestors 'none' (no framing allowed) or 'self' (only your own domain can frame you). Note: frame-ancestors is not controlled by default-src.

Question 5

What's the difference between CSP and CSP-Report-Only?

Accepted Answer

CSP-Report-Only logs violations to the browser console and sends reports but doesn't actually block anything — useful for testing a new policy before enforcement. Deploy Report-Only first, collect reports for a week, fix any legitimate breakage, then switch to the enforcing Content-Security-Policy header. Going straight to enforcement usually breaks something.

Question 6

Can I use both nonce AND hash?

Accepted Answer

Yes, and sometimes you should. Use nonce for dynamic inline scripts (changes per request), hash for static inline scripts (e.g., a consistent analytics snippet). Combine with strict-dynamic so scripts loaded BY a trusted script are automatically trusted — eliminates the need to whitelist every CDN.

CSP Evaluator

Frequently Asked Questions

What does this CSP evaluator check?

What's a good CSP grade?

Why is `unsafe-inline` such a big deal?

Why does my CSP need `frame-ancestors`?

What's the difference between CSP and CSP-Report-Only?

More Free Tools

CSP Evaluator

Frequently Asked Questions

What does this CSP evaluator check?

What's a good CSP grade?

Why is unsafe-inline such a big deal?

Why does my CSP need frame-ancestors?

What's the difference between CSP and CSP-Report-Only?

More Free Tools

Why is `unsafe-inline` such a big deal?

Why does my CSP need `frame-ancestors`?