Skip to main content

Content Security Policy (CSP) Tester

Parse and validate Content-Security-Policy headers with directive breakdown and security analysis.

No sign up requiredStays in your browser100% free

How it works

  1. 1Paste or type your text in the input field
  2. 2Click "Analyze" — processing happens in your browser
  3. 3Copy the result or download as a text file

What to do next

Robots Txt TesterCache Control GeneratorNginx Config Generator

About Content Security Policy Tester

Content Security Policy Tester is a self-contained developer utility workspace. Parse and validate Content-Security-Policy headers with directive breakdown and security analysis. Open the page, get the result, close the tab — that is the entire workflow.

The heaviest users of Content Security Policy Tester tend to be QA engineers writing repro cases, backend developers inspecting requests and site reliability engineers triaging logs. Each group brings slightly different expectations to the tool, but the same single-page architecture serves every one of them with the same response time.

Content Security Policy Tester runs the entire transformation inside your browser. The file is read by JavaScript running in the page, processed in-memory by standard browser APIs, and written back as a download. The browser is the runtime; the page is the interface. You can confirm what the tool does by opening the developer-tools Network tab during a run — the only requests are for the page's own static assets.

From a technical standpoint, Content Security Policy Tester is JavaScript and standard browser APIs running in your tab. The browser is the runtime; the page is the interface. Maximum input size: 0 MB per run.

Most people land on Content Security Policy Tester via a search at the moment they actually need the tool. That shapes the design: the page is a single screen with the input on one side, the controls in the middle, and the result on the other, so a first-time visitor can complete the job without reading documentation.

Even on its own, Content Security Policy Tester composes well with the rest of your toolkit. The output is a standard developer file that opens in any program that handles the format, so the result of one run can become the input to whatever step you use next.

The output handed back by Content Security Policy Tester is the output file. If you would prefer to keep the result in the browser instead of downloading it, you can copy it from the result panel and paste it directly into another tab — useful when the next tool in your workflow expects pasted text rather than a file.

The architecture imposes only the limits the browser itself imposes. The published 0 MB ceiling is conservative; most modern devices comfortably handle inputs up to that size, and the cap exists so the tool degrades gracefully on phones and budget laptops rather than running out of memory.

The transformation in Content Security Policy Tester is deterministic — the same input plus the same options produces the same result every run. That predictability matters when the result has to match an upstream specification or be reproducible later.

Some background on the design choices behind Content Security Policy Tester: every option you see on the page is there because a real workflow needs it, and every option that is not shown has been deliberately omitted to keep the common case fast. The bias is toward minimal-but-complete.

Useful patterns when working with Content Security Policy Tester: keep the input file open in another tab so you can compare against the result; give the output file a descriptive name when saving so you can find it later (the default name is sensible but generic); and treat each run as independent — the tool has no concept of "history", which means you cannot accidentally pollute one job with leftovers from another.

If the result is not what you expected, the most common causes are easy to check. Confirm the input is under the 0 MB ceiling — files just above the cap fail silently because the engine refuses to allocate the buffer. Confirm the input is one of the supported formats. And if the page itself feels slow, try closing other heavy tabs to free up memory; the engine runs in your browser, so it competes for the same resources as everything else open.

As a single-page tool, Content Security Policy Tester stays focused on one developer utility step. Multi-step workflows are composed by chaining adjacent tools — each tool produces a standard file the next one can read directly, so a longer pipeline is just a sequence of short tab-and-tab visits.

Content Security Policy Tester is one of many single-purpose tools in the catalog. Each is built around the same single-page model. Use this one, close the tab, and come back the next time you need the same job done. None of the tools require prior knowledge of the others — each page is self-contained.

How it works

  1. 1Open the Content Security Policy Tester workspace above. The interface is a single page, so there is nothing to navigate.
  2. 2Drop a developer file onto the upload area, or click to pick one from your device.
  3. 3Tweak the controls if the defaults are not quite right for your input. The options are kept short and labelled in plain language.
  4. 4Click to start the job. The engine (standard browser APIs) processes the input in the page; you can watch the progress indicator until it completes.
  5. 5Save the output when it is ready.
  6. 6Repeat the process for additional inputs whenever you need to. The page stays loaded, so subsequent runs are quick.

Common use cases

  • Inspect a payload during local development without writing a script using Content Security Policy Tester.
  • Convert between data formats while wiring up an integration.
  • Validate a config blob before pushing to staging.
  • Compare two API responses to spot a regression.
  • Hash a string for a quick reproducibility check.
  • Generate a quick fixture without leaving the browser.
  • Generate boilerplate from a single specification line.
  • Format a noisy log line into something a teammate can read.

FAQ

What is CSP?

Content Security Policy is an HTTP header that restricts which resources a page can load, preventing XSS attacks.

What directives are checked?

default-src, script-src, style-src, img-src, connect-src, font-src, frame-src, and more.

What warnings are shown?

Unsafe-inline, unsafe-eval, wildcard sources, missing directives, and overly permissive rules.

Can I test report-only?

Yes — the tool handles both CSP and CSP-Report-Only headers.

Nonce and hash?

Nonce and hash source values are recognized and shown in the directive breakdown.

Private?

Yes — parsing runs locally.

Which browsers are supported by Content Security Policy Tester?

Content Security Policy Tester works in any modern browser released in the last few years — Chrome, Edge, Firefox, Safari, Brave, Arc and the major Chromium derivatives are all supported. The underlying engine relies on widely-supported web APIs, so there is nothing exotic to install. If you are on a very old browser version and the tool fails to load, updating to the latest release of your preferred browser is the only fix needed.

What does Content Security Policy Tester do that command-line tools do not?

Desktop apps usually have more advanced features but require installation, maintenance and (often) a licence. Paid online tools are convenient but route your file through their servers and gate downloads behind accounts. Content Security Policy Tester sits in between: free, instant, and private, but intentionally narrow in scope. For one-off jobs and the common developer utility operations, it is usually the lowest-friction choice; for highly specialised work, a dedicated app is still the right answer.

How do I know I am using the latest version of Content Security Policy Tester?

Content Security Policy Tester is updated whenever the underlying engine releases an improvement or a bug fix. Because the tool is delivered as a static page, every visit fetches the latest version automatically — there is no "version" to manage on your end. If a particular release ever changes default behaviour, the change is documented on Favtoo's changelog so you can confirm what shifted.

How accessible is the Content Security Policy Tester interface?

Content Security Policy Tester uses native HTML controls wherever possible, which means keyboard navigation, focus rings, and screen-reader labels work the way the platform expects. The drop zone accepts files via the keyboard-accessible file picker as well as drag-and-drop, and result downloads use standard browser download flows. If you spot an accessibility gap, Favtoo treats it as a bug worth fixing.

Can I self-host Content Security Policy Tester for my team?

Content Security Policy Tester is a static page running an open-source engine in your browser, so a typical corporate firewall does not get in the way as long as it allows JavaScript to load from Favtoo. For teams that need to host it themselves on an internal network, the underlying engine (standard browser APIs) is open-source and can be packaged into a private build with the same behaviour. Reach out via the Contact page if that is something you are exploring.

Is there a desktop version of Content Security Policy Tester?

No installation is needed. Content Security Policy Tester runs as a normal web page, with no browser extension, no native helper, and no separate desktop client to download. That is partly a privacy choice — extensions can request broad permissions, while a regular page is sandboxed by default — and partly a convenience one: you can use Content Security Policy Tester on any computer you have temporary access to without leaving anything installed on it.

Does Content Security Policy Tester reduce quality of the result?

Content Security Policy Tester is built to preserve quality wherever the underlying developer format allows it. Operations that are mathematically lossless (e.g. structural transformations, lossless re-encoding) round-trip with no perceptible change. Operations that involve a lossy codec inevitably introduce small artefacts at the byte level, but the defaults aim at the sweet spot where output looks or sounds the same to a normal viewer or listener while still being meaningfully smaller or faster than the input.

How long does Favtoo retain my data after using Content Security Policy Tester?

Favtoo keeps no copy of your file because Favtoo never receives your file. Content Security Policy Tester runs entirely in your browser, the input is held only in your tab's memory, and closing the tab discards it. There is no opt-in cloud history, no "recent jobs" panel synced to an account, and no server-side retention to configure — the architecture simply has nowhere for your file to be stored.

How do I run Content Security Policy Tester over a folder of files?

Content Security Policy Tester processes one input at a time by design — it keeps memory usage predictable on lower-end devices and makes results easier to verify. To handle a folder, run the tool once per file; the page stays loaded between runs and remembers your last-used settings, so the second run is essentially instant.

Explore more Developer Tools

CDN URL Builder

Build CDN URLs for popular services like jsDelivr, unpkg, cdnjs, and esm.sh with version pinning.

Cache-Control Generator

Generate HTTP Cache-Control headers with optimal directives for different resource types.

robots.txt Tester

Parse and validate robots.txt files — check rules, sitemaps, crawl-delay, and test URL matching.

XML Sitemap Parser

Parse XML sitemaps and display URL count, lastmod dates, changefreq, and priority statistics.

RSS Feed Validator

Validate RSS 2.0 feed XML structure, required elements, and display feed summary.

Atom Feed Validator

Validate Atom feed XML structure, required elements, and display feed metadata.

JSON Feed Validator

Validate JSON Feed (v1.1) structure, required fields, and display feed summary.

CSS Formatter

Format and beautify minified or messy CSS with proper indentation and line breaks.

View all Developer Tools