CSP Evaluator

Evaluate your Content Security Policy with Handshake

Evalution powered by Google's CSP Evaluator

All CSP evaluation happens locally in your browser. Your policies are never sent to any server.

Example CSP Policies (click to use):

Basic restrictive policy: default-src 'self'
Common but unsafe: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
Complex but unsafe: default-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline'; img-src * data:; connect-src *; font-src *; object-src *; base-uri *; form-action *; frame-ancestors *;
CDN allowed: default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:
Strict policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; connect-src 'self'; object-src 'none'
Strict and complex: default-src 'self'; script-src 'self' https://trusted.example.com; style-src 'self' https://fonts.googleapis.com; img-src 'self' data: https://images.example.com; connect-src 'self' https://api.example.com; font-src 'self' https://fonts.gstatic.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests;
© 2025 Handshake Networking Limited. All rights reserved.
Hong Kong's Premier Information Security Consultants since 2004