Free Content Security Policy (CSP) Checker

Analyze your site's Content Security Policy for unsafe directives and coverage.
Detect unsafe-inline/unsafe-eval, weak sources, and get best-practice guidance.

  • CSP directives analysis
  • Detect unsafe-inline/eval
  • Nonce/Hash guidance
Scan Now - Free
No credit card requiredNon-intrusive scanningNo setup required
★★★★★

"Barrion's security scanning has helped us implement best security practices efficiently, saving us countless hours."

Sarah Chen

Head of Security

★★★★★

"We identified and fixed critical vulnerabilities before our platform launch, saving us from potential data breaches."

Marcus Anderson

CTO

★★★★★

"Barrion gives us peace of mind, knowing we're notified of any security issues. Exactly what our team needed."

Oskar Nilsson

Tech Lead

Enterprise-Grade Security
GDPR & SOC 2 Aligned
Trusted Worldwide
ISO 27001 Aligned
How it works

Scan in three simple steps

Fast, safe, non-intrusive checks with actionable results.

1

Start scan

Enter your URL, and click the start scan button to begin.

2

Scan runs

Barrion performs passive, read-only security checks with minimal site impact.

3

View results

See security findings with prioritized, actionable recommendations.

What is Content Security Policy (CSP)?

CSP is a browser security layer that controls where your app can load resources from (scripts, styles, images, frames, etc.). A strict policy prevents XSS and reduces supply‑chain risk by blocking unexpected sources.

Why CSP matters

A strong CSP can neutralize whole classes of injection bugs and mitigate third‑party script risk. It also provides defense in depth when combined with escaping, sanitization, and Trusted Types.

What this checker validates

  • Detects unsafe directives (unsafe-inline, unsafe-eval)
  • Flags missing baselines: object-src 'none', base-uri 'none'
  • Evaluates nonce/hash usage and recommends strict-dynamic
  • Reviews frame-ancestors, form-action, upgrade-insecure-requests

How to fix common failures

  • Replace script-src 'unsafe-inline' with nonces (rotate per request)
  • Add object-src 'none'; base-uri 'none'; form-action 'self'
  • Audit third‑party domains and restrict to explicit allow‑lists
  • Enable upgrade-insecure-requests and avoid mixed content

Examples (good vs bad)

Bad: script-src 'self' 'unsafe-inline' https://cdn.example.com

Better: script-src 'self' 'nonce-...' 'strict-dynamic' https://cdn.example.com; object-src 'none'; base-uri 'none'

Tool-specific questions

Should I use nonces or hashes?

For dynamic apps, prefer nonces with strict-dynamic. For static inline scripts, hashes are fine. Avoid unsafe-inline entirely.

Do I need object-src and base-uri even if unused?

Yes. Set object-src 'none' and base-uri 'none' to close legacy vectors and prevent base tag abuse.

Can I allow *.cdn.com wildcards?

Use precise hosts over broad wildcards. Prefer scheme+host allow‑lists to limit blast radius.

How often should CSP nonces rotate?

Per response/request. Never reuse nonces across requests.

How do I migrate from unsafe-inline to nonces?

Identify inline scripts, move logic to external files where possible, add per-response nonces to remaining inline scripts, and include the nonce in script-src with strict-dynamic. Remove unsafe-inline once all critical scripts are covered.

Why do third-party widgets get blocked?

Widgets load scripts, frames, or styles from external origins. Add only the required hosts to your CSP allow-list and prefer provider guidance on exact domains. Avoid broad wildcards.

Why Choose Barrion?

Real-Time Results

Instant security analysis with detailed reports, giving you an immediate security overview

Comprehensive Checks

Multiple best-practice security checks in a single scan, for broad coverage

Actionable and Effective

Clear recommendations for fixes, helping you improve your security quickly and effectively

Other Tools

Complete Security Scan

Complete website security analysis with comprehensive vulnerability detection

  • Full security assessment
  • Detailed security report
  • Actionable recommendations
  • Risk severity scoring

Security Headers Test

Check your website's HTTP security headers configuration

  • Content Security Policy
  • X-Frame-Options
  • X-Content-Type-Options
  • Permissions Policy
  • Referrer Policy
  • And more...

TLS/SSL Security Checker

Validate your SSL/TLS configuration and certificate setup

  • HTTPS verification
  • HSTS check
  • TLS version check
  • Cipher suite analysis

CORS Policy Checker

Validate Access-Control headers, credentials safety, and simulate preflight requests.

  • ACAO configuration
  • Preflight simulation
  • Credentials safety

Cookie Security Checker

Audit HttpOnly, Secure, SameSite and Partitioned cookie attributes for safety.

  • HttpOnly & Secure flags
  • SameSite settings
  • Partitioned cookies

Referrer Policy Checker

Validate Referrer-Policy and apply privacy-preserving safe defaults.

  • Referrer-Policy detection
  • Safe defaults
  • Copyable examples
Browse all tools

General questions

Frequently Asked Questions

Find answers to common questions about Barrion.
If you have any other questions, feel free to reach out!

Trusted by IT Professionals

Organizations rely on Barrion to strengthen their security and stay ahead of emerging cyber threats.
Assess your application security today - results in under a minute.

Barrion logo iconBarrion

Barrion delivers automated security scans and real-time monitoring to keep your applications secure.

Services

Quick Links

Company

Contact Us

Have questions or need assistance? Reach out to our team for support.

[email protected]
Send email icon

© 2025 Barrion - All Rights Reserved.