CSP & Security Headers Checker
Test any domain's Content Security Policy and security headers. Detect unsafe-inline, unsafe-eval, and verify X-Frame-Options, referrer policy, and permissions policy.
What is Content Security Policy?
CSP is an HTTP header that controls which resources (scripts, styles, images, fonts) can load on your pages. It's the strongest defense against cross-site scripting (XSS) attacks. By whitelisting trusted sources, CSP prevents attackers from injecting malicious scripts, even if they find an injection point in your application.
Why check your security headers?
Security headers are your first line of defense at the HTTP layer. CSP prevents XSS, X-Frame-Options prevents clickjacking, X-Content-Type-Options prevents MIME sniffing, Referrer-Policy controls information leakage, and Permissions-Policy restricts browser features like camera and microphone access. Missing headers leave these attack surfaces wide open.
How to implement security headers
Add headers in your web server or application framework. Start with a report-only CSP (Content-Security-Policy-Report-Only) to identify what would break, then enforce it. Set X-Frame-Options to DENY or SAMEORIGIN, X-Content-Type-Options to nosniff, and Referrer-Policy to strict-origin-when-cross-origin. Test thoroughly — overly strict CSP can break your site.
FAQ
Frequently asked questions
Is this CSP checker free?+
Yes, completely free. No signup or credit card required. Test any public domain's CSP and security headers instantly.
What does unsafe-inline mean?+
The unsafe-inline directive in CSP allows inline JavaScript and CSS to execute. This largely defeats the purpose of CSP, because XSS attacks typically inject inline scripts. Replace unsafe-inline with nonce-based or hash-based policies for real protection.
How is this different from a headers checker?+
This tool focuses on Content Security Policy analysis (detecting unsafe directives) while also checking related security headers. Our full headers checker examines all HTTP response headers. CQwerty Shield's complete scan covers both plus 16 other security dimensions for a comprehensive view.
CSP & Security Headers Checker is just the start.
CQwerty Shield checks SSL, DMARC, SPF, DNS, HTTP headers, WHOIS, breach intel, and more — with CVE/KEV cross-references on every finding.
Free full scan — no signup →