CSP Checker
Check a website Content-Security-Policy header and generate a practical starter policy for scripts, styles, images, frames, and connections.
Starter CSP generator
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.swetrix.com; connect-src 'self' https://api.swetrix.com; img-src 'self' data: https:; style-src 'self'; font-src 'self' data:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'Free Content Security Policy Checker
A Content Security Policy helps reduce the blast radius of cross-site scripting and injection bugs. This tool checks the live CSP header on a site and gives you a simple generator for a starter policy.
What makes a CSP useful
A useful CSP should include a default-src fallback, restrict script sources, control frame embedding, and avoid unsafe-inline where possible.
Roll out CSP carefully
Start with a report-only policy when you are unsure. Review violations, add the sources your site actually needs, then enforce the policy when critical paths are clean.
Frequently Asked Questions
What is Content Security Policy?
Content Security Policy is an HTTP response header that tells browsers which sources are allowed for scripts, styles, images, frames, fonts, and other resources.
Does CSP stop all XSS attacks?
No. CSP is a defense-in-depth control. It can reduce impact, but it should be combined with output escaping, input validation, and secure coding practices.
What does unsafe-inline mean?
unsafe-inline allows inline scripts or styles. It is often convenient but weakens CSP protection, especially for script-src.
Should I use report-only first?
Yes, report-only mode is useful for testing. It reports violations without blocking resources, which helps avoid breaking production pages.
Can analytics work with CSP?
Yes. Add your analytics script and API endpoints to script-src and connect-src. Swetrix can run under CSP with the right source entries.
It's time to ditch Google Analytics.
Tired of the frustration, complexity and privacy issues of Google Analytics? We were too. That's why we built Swetrix - the ethical, open source and fully cookieless alternative.