Web ToolBox

CSP Parser

Parse CSP headers and list their directives

Parse CSP

What is CSP Parser?

CSP Parser is a tool for reading a Content Security Policy header and breaking it down into easier-to-review directives. It also runs a quick local audit so you can spot risky patterns more easily.

When you paste a CSP string into the tool, directives such as script-src and img-src are grouped by category, and values like 'unsafe-inline' or wildcards become easier to notice.

How to Use

  1. Paste a CSP header into the input area.
  2. Review the quick audit results.
  3. Check the directive list grouped by category.
  4. Use the color-coded badges to spot keywords, domains, and riskier values.

Because the parser reacts immediately, it is useful when you want to compare small CSP changes as you edit them.

Main Things to Review

Quick Audit

The tool performs a lightweight check for common issues such as:

  • 'unsafe-inline' or 'unsafe-eval'
  • Wildcards like *
  • Missing default-src
  • Use of http:

The result is shown with HIGH / MEDIUM / LOW severity, but it is still only a basic pattern-based check rather than a full security review.

Policy Breakdown

Directives are grouped into categories such as Fetch, Document, Navigation, and Reporting. This makes it easier to understand how the policy is structured overall.

Color-coded Badges

Source values are color-coded so you can quickly distinguish:

  • Riskier values
  • Values that need caution
  • CSP keywords
  • Domain-based sources

This is especially helpful when reviewing a long policy at a glance.

Use Cases

  • Doing a first pass on a newly written CSP
  • Investigating a Content Security Policy violation
  • Reviewing an existing site's policy for risky settings
  • Checking how a new CDN, analytics script, or API source affects the policy

Input and Output Example

default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:

With a policy like this, you can inspect directive entries such as:

default-src: 'self'
script-src: 'self' https://cdn.example.com
style-src: 'self' 'unsafe-inline'
img-src: 'self' data: https:

Settings such as 'unsafe-inline' can also be surfaced as items worth reviewing.

Things to Keep in Mind

  • The audit is a quick check, not a guarantee that a policy is secure
  • A valid CSP does not by itself eliminate all application security issues
  • Before using a policy in production, it is safer to test it with Report-Only mode and verify actual site behavior as well