Advanced CSP Evaluator

Analyze Content Security Policy headers for any domain. Get security grades, directive analysis, and vulnerability detection.

Advanced CSP Evaluator is a powerful security auditing tool that fetches and analyzes the Content-Security-Policy (CSP) headers of any public domain — giving you a clear security grade, a full directive breakdown, and a prioritized list of vulnerabilities in seconds. Whether you're a security engineer hardening a production app, a developer shipping a new release, or a researcher auditing third-party sites, this extension turns raw CSP headers into actionable insight. ━━━ KEY FEATURES ━━━ 🛡️ Security Grading Receive an A–F grade and a 0–100 score based on CSP best practices, weighted by directive strength and risk exposure. 🔍 Directive Breakdown See every CSP directive in use — default-src, script-src, style-src, frame-ancestors, and more — with plain-English explanations of what each one does and how it's configured. 🚨 Vulnerability Detection Automatically flags common CSP weaknesses, including: • 'unsafe-inline' and 'unsafe-eval' usage • Wildcard sources (*) and overly permissive origins • Missing critical directives (object-src, base-uri, frame-ancestors) • Report-Only mode that isn't actually enforced • Insecure schemes (http:, data:, blob:) where they shouldn't appear 📊 Additional Security Headers Beyond CSP, the extension surfaces the status of related headers like Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. 📝 Raw Header View Inspect the full, unmodified CSP header exactly as the server returned it — perfect for debugging or sharing with your team. ⚡ One-Click Analysis Just enter a domain (or analyze the active tab) and get a complete report instantly. No accounts, no tracking, no data leaves your browser beyond the HTTP request to the target site. ━━━ WHO IT'S FOR ━━━ • Web developers verifying their CSP deployment • Security engineers performing application audits • Penetration testers and bug bounty hunters • DevOps teams reviewing release readiness • Educators teaching web security concepts