There's nothing here.

Best Content-Security-Policy tool to validate and check XSS, Clickjacking & Formjacking protection grade and to detect CSP bypasses.

CSP Scanner: Test & Analyze Visited Sites CSP

Get a full analysis of your Content-Security-Policy. Understand how to easily improve it. Analyze protection coverage from XSS, Clickjacking, Formjacking & more.

Get a free CSP monitoring and automaticly improve your CSP grade

Automate your CSP

See the CSP security grades for the websites you visit. Analyze CSP protection coverage from XSS, Clickjacking, Formjacking and more.

CSP Scanner - Content Security Policy Check | Browser Extension

Get a full analysis of your Content-Security-Policy, and understand how to easily improve it:

Summary

Client-Side CSP Security Posture

CSP scan results for raw CSP - Grade: {{grade}}, Score: {{score}}. Edit your CSP and get a full analysis of client-side attacks protection and CSP bypasses.

CSP scan results for {{url}} - Grade: {{grade}}, Score: {{score}}. Get a full analysis of client-side attacks protection and CSP bypasses.

CSP Scanner results for {{url}}

CSP Scanner - Content Security Policy Check | Analyze Bypasses

Missing 'report-sample'. It is important in order to have strong and rich CSP reporting like XSS advanced analysis.

'self' might host <a class="text-blue-500 font-medium hover:underline hover:text-blue-600" href="https://rapidsec.com/docs/csp-bypasses?utm_source=cspscanner&utm_medium=result_section" rel="noopener" target="_blank">CSP bypasses</a> (such as JSONP endpoints, legacy Angular or user uploaded files).

Add another 'report-uri' to get better violation reports. <a class="text-blue-500 font-medium hover:underline hover:text-blue-600" href="https://rapidsec.com/projects/add?utm_source=cspscanner&utm_medium=report-uri" rel="noopener" target="_blank">Setup a free report-uri at RapidSec</a>

Strong protection against Clickjacking thanks to strict 'frame-ancestors', 'frame-src' and 'child-src'.

Strong protection against Formjacking thanks to strict 'form-action' and 'base-uri'.

Missing 'child-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

'none' is the strictest possible value for 'default-src'. Well done!

Missing 'font-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

Missing 'frame-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

Missing 'manifest-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

Missing 'media-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

'none' is the strictest possible value for 'object-src'. Well done!

Missing 'prefetch-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

Missing 'worker-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

'none' is the strictest possible value for 'frame-ancestors'. Well done!

Strong CSP reporting thanks to 'report-sample'.

Has CSP in enforcing mode which can protect client-side attacks like XSS, Clickjacking, Formjacking, Data Exfiltration and more.

Client-Side CSP Security Posture

Summary

Content Security Policy (CSP) Scanner

General

Necessary Directives

Scripting Directives

Frames Directives

Content Directives