There's nothing here.

Best Content-Security-Policy tool to validate and check XSS, Clickjacking & Formjacking protection grade and to detect CSP bypasses.

CSP Scanner: Test & Analyze Visited Sites CSP

Get a full analysis of your Content-Security-Policy. Understand how to easily improve it. Analyze protection coverage from XSS, Clickjacking, Formjacking & more.

Get a free CSP monitoring and automaticly improve your CSP grade

Automate your CSP

See the CSP security grades for the websites you visit. Analyze CSP protection coverage from XSS, Clickjacking, Formjacking and more.

CSP Scanner - Content Security Policy Check | Browser Extension

Get a full analysis of your Content-Security-Policy, and understand how to easily improve it:

Summary

Client-Side CSP Security Posture

CSP scan results for raw CSP - Grade: {{grade}}, Score: {{score}}. Edit your CSP and get a full analysis of client-side attacks protection and CSP bypasses.

CSP scan results for {{url}} - Grade: {{grade}}, Score: {{score}}. Get a full analysis of client-side attacks protection and CSP bypasses.

CSP Scanner results for {{url}}

CSP Scanner - Content Security Policy Check | Analyze Bypasses

Strong protection against Clickjacking thanks to strict 'frame-ancestors', 'frame-src' and 'child-src'.

Strong protection against Formjacking thanks to strict 'form-action' and 'base-uri'.

'self' might host <a class="text-blue-500 font-medium hover:underline hover:text-blue-600" href="https://rapidsec.com/docs/csp-bypasses?utm_source=cspscanner&utm_medium=result_section" rel="noopener" target="_blank">CSP bypasses</a> (such as JSONP endpoints, legacy Angular or user uploaded files).

Missing 'child-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

'none' is the strictest possible value for 'default-src'. Well done!

Missing 'frame-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

Missing 'manifest-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

Missing 'media-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

'none' is the strictest possible value for 'object-src'. Well done!

Missing 'prefetch-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

Missing 'worker-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

'none' is the strictest possible value for 'frame-ancestors'. Well done!

Strong CSP reporting thanks to 'report-sample'.

Add another 'report-uri' to get better violation reports. <a class="text-blue-500 font-medium hover:underline hover:text-blue-600" href="https://rapidsec.com/projects/add?utm_source=cspscanner&utm_medium=report-uri" rel="noopener" target="_blank">Setup a free report-uri at RapidSec</a>

Missing 'report-sample'. It is important in order to have strong and rich CSP reporting like XSS advanced analysis.

The source list for Content Security Policy directive 'font-src' contains an invalid source: ''none''. It will be ignored. Note that 'none' has no effect unless it is the only expression in the source list.

Has CSP in enforcing mode which can protect client-side attacks like XSS, Clickjacking, Formjacking, Data Exfiltration and more.

Client-Side CSP Security Posture

Content Security Policy (CSP) Scanner