Free Content Security Policy (CSP) Checker
Free tool
Scan your Content Security Policy for unsafe-inline, unsafe-eval, missing object-src and base-uri, and weak sources. Get nonce and strict-dynamic fixes you can ship today.
- CSP directives analysis
- Detect unsafe-inline/eval
- CSP violation detection
No credit card requiredProduction-safe (100% passive)No setup or code required
Trusted by 4,000+ security & engineering teams
What you get for free
18 core security checks via this tool, passive scans, step-by-step remediation, security score on every result.
What Essential adds at $39/mo
+17 advanced checks, continuous monitoring, daily security score history, email alerts, GitHub SAST, board-ready PDFs, SOC 2 / ISO 27001 / PCI reports.
What is Content Security Policy (CSP)?
CSP is a browser security layer that controls where your app can load resources from (scripts, styles, images, frames, etc.). A strict policy prevents XSS and reduces supply‑chain risk by blocking unexpected sources.
Why CSP matters
A strong CSP can neutralize whole classes of injection bugs and mitigate third‑party script risk. It also provides defense in depth when combined with escaping, sanitization, and Trusted Types.
How to fix common failures
- Replace script-src 'unsafe-inline' with nonces (rotate per request)
- Add object-src 'none'; base-uri 'none'; form-action 'self'
- Audit third‑party domains and restrict to explicit allow‑lists
- Enable upgrade-insecure-requests and avoid mixed content
Examples (good vs bad)
Bad: script-src 'self' 'unsafe-inline' https://cdn.example.com
Better: script-src 'self' 'nonce-...' 'strict-dynamic' https://cdn.example.com; object-src 'none'; base-uri 'none'
What this checker validates
- Detects unsafe directives (unsafe-inline, unsafe-eval)
- Flags missing baselines: object-src 'none', base-uri 'none'
- Evaluates nonce/hash usage and recommends strict-dynamic
- Reviews frame-ancestors, form-action, upgrade-insecure-requests
- Monitors CSP console errors to identify blocked legitimate resources
Across 7,440 recent scans, 98.9% are missing a strict Content Security Policy, and 98.0% have no Trusted Types directive.
Implementation examples
Once you've identified the gap, applying the fix is straightforward. Here are the three configurations developers reach for most often.
Nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-$request_id' 'strict-dynamic'; object-src 'none'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" always;Apache
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-%{CSP_NONCE}e' 'strict-dynamic'; object-src 'none'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests"Node.js (Express + Helmet)
import crypto from "node:crypto"
import express from "express"
import helmet from "helmet"
const app = express()
app.use((req, res, next) => {
res.locals.cspNonce = crypto.randomBytes(16).toString("base64")
next()
})
app.use(
helmet({
contentSecurityPolicy: {
useDefaults: false,
directives: {
defaultSrc: ["'self'"],
scriptSrc: [
"'self'",
(_req, res) => `'nonce-${(res as express.Response).locals.cspNonce}'`,
"'strict-dynamic'",
],
objectSrc: ["'none'"],
baseUri: ["'none'"],
formAction: ["'self'"],
frameAncestors: ["'none'"],
upgradeInsecureRequests: [],
},
},
}),
)Tool-specific questions
What does a CSP checker test?
A CSP checker inspects the Content-Security-Policy header your site sends and evaluates it for risky directives like unsafe-inline, unsafe-eval, and wildcard sources. These allow injected scripts to run and are a primary target for XSS attacks. Barrion's free tool identifies gaps and provides guidance on switching to nonces, hashes, and strict-dynamic for a secure, modern CSP.
Should I use nonces or hashes?
For dynamic apps, prefer nonces with strict-dynamic. For static inline scripts, hashes are fine. Avoid unsafe-inline entirely.
Do I need object-src and base-uri even if unused?
Yes. Set object-src 'none' and base-uri 'none' to close legacy vectors and prevent base tag abuse.
Can I allow *.cdn.com wildcards?
Use precise hosts over broad wildcards. Prefer scheme+host allow‑lists to limit blast radius.
How often should CSP nonces rotate?
Per response/request. Never reuse nonces across requests.
How do I migrate from unsafe-inline to nonces?
Identify inline scripts, move logic to external files where possible, add per-response nonces to remaining inline scripts, and include the nonce in script-src with strict-dynamic. Remove unsafe-inline once all critical scripts are covered.
Why do third-party widgets get blocked?
Widgets load scripts, frames, or styles from external origins. Add only the required hosts to your CSP allow-list and prefer provider guidance on exact domains. Avoid broad wildcards.
Does Barrion detect CSP console errors?
Yes, Barrion detects CSP console errors that occur when your CSP policy blocks legitimate resources your website needs. These violations appear in the browser's developer console and can silently break website features, degrade user experience, or prevent third-party services (analytics, widgets, CDNs) from working. Our monitoring helps you identify and fix these issues while maintaining strong security.
Why Barrion
Built for the engineers who already have enough to fix.
Speed
Real-time results
Instant analysis with a detailed report. You see findings as the scan runs, not after.
Coverage
Comprehensive checks
35+ checks per scan covering TLS, headers, CORS, cookies, DNS, email auth, and more, in a single pass.
Action
Step-by-step fixes
Every finding ships with the exact remediation step for your framework. Hand it to the engineer who owns the surface.
Other tools
More free checks, for the rest of your surface.
Complete Security Scan
Complete website security analysis with comprehensive vulnerability detection
Pre-Pentest Security Scan
Passive scan that catches the misconfigurations a pentester finds first. Use it before a manual engagement to clear the easy issues.
Security Compliance Checker
Check compliance with PCI DSS, HIPAA, SOC 2, ISO 27001, and GDPR. Get compliance readiness reports.
WAF Checker
Detect Web Application Firewall presence through passive header analysis. Identify WAF/CDN providers.
Security Headers Test
Check your website's HTTP security headers configuration
TLS/SSL Security Checker
Validate your SSL/TLS configuration and certificate setup
Related guides
Go deeper on the same topic.
Learn
Content Security Policy
Per-check explainer covering what it is, why it matters, and how Barrion verifies it.
Fix guide
Missing Content Security Policy
Step-by-step remediation with config examples for Nginx, Apache, and Node.
Guide
Content Security Policy Guide
Long-form implementation guide from the Barrion engineering blog.
Guide
Security Headers Guide
Long-form implementation guide from the Barrion engineering blog.
FAQ
Frequently asked.
What is Barrion and how does it enhance website security?
Barrion is a security testing and monitoring platform for engineering teams, and it works in three ways. Passive scanning keeps a continuous, read-only watch over your live web apps and APIs. Codebase scanning connects to GitHub and checks your code for hard-coded secrets, insecure patterns and vulnerable dependencies. AI pentesting goes on the offensive, running agent-driven attacks that prove which vulnerabilities are genuinely exploitable. Every finding comes with a step-by-step fix you can ship right away.
How safe is Barrion to use for security testing?
Passive scanning and codebase scanning are completely safe to run, including against production. Passive scans only read your live app, so we never submit forms, brute-force endpoints or touch anything that changes state, and codebase scanning just reads your repository. AI pentesting is more aggressive by design, since its job is to confirm real exploits, so it runs rate-limited and non-destructive, and you agree the scope with us before it starts.
What types of security issues does Barrion identify?
It depends on the surface. On your live apps, Barrion catches misconfigurations across TLS and HTTPS, security headers, cookie flags, CORS policy, DNS records, email authentication (SPF, DKIM, DMARC), network exposure and the usual web hygiene gaps. In your codebase it finds secrets committed to the repo, insecure code patterns and vulnerable dependencies. AI pentesting surfaces the exploitable stuff, like SQL injection, cross-site scripting and broken access control, each one backed by proof it can actually be exploited.
What specific security checks does Barrion perform?
For live apps it checks TLS and HTTPS configuration, HTTP security headers, cookie flags, CORS policy, DNS and email authentication records, network exposure and common web hygiene issues. In your codebase it looks for hard-coded secrets, insecure patterns and vulnerable dependencies. AI pentesting takes it further by actively chaining requests to confirm exploitable flaws. Whatever the source, findings are ranked by severity and come with clear, step-by-step remediation.
What is Barrion's smart crawling?
Smart crawling automatically discovers the pages and endpoints of your app so scans cover the surface that matters, without you manually listing every URL.
How often does Barrion perform security scans?
You can run a scan manually whenever you want. Continuous monitoring of your live apps runs on its own (weekly and up on Essential, daily on Business), codebase scans can fire on every commit or pull request, and we alert you the moment something new shows up.
Is Barrion suitable for security testing of all business sizes?
Yes. Live-app monitoring, codebase scanning through GitHub and AI pentesting all work just as well for a solo developer as for a startup, a scale-up or an enterprise security team, without adding headcount.
How does Barrion handle data security and privacy during security testing?
Live-app and codebase scans are read-only by default, and we never store or expose sensitive data from your application. AI pentests are rate-limited and non-destructive, built to confirm whether something is exploitable without altering your data or affecting availability.
What if I'm not satisfied with Barrion's security testing service?
Paid plans start with a free trial, and you can cancel anytime. If something isn't right, contact us and we'll make it work for your team.
How does Barrion help with SOC 2, ISO 27001, NIS2, and other compliance frameworks?
Barrion produces audit-ready PDF and CSV reports suitable for SOC 2, ISO 27001, PCI DSS and NIS2, ready to share with auditors, customers and your board.
Anything else? Email contact@barrion.io.
Lock down your CSP, then keep it locked.
Run continuous CSP checks across releases. Catch unsafe-inline regressions before they ship.