Analyze Content Security Policy headers for vulnerabilities. Identify misconfigurations, JSONP bypasses, and get actionable bypass payloads.
Paste a Content-Security-Policy header and click "Analyze CSP" to find bypass payloads that work for your target.
Controls sources for JavaScript. Most critical directive for XSS prevention.
Fallback for other directives. Use 'none' or 'self' as baseline.
Restricts URLs for <base> element. Missing = base tag injection possible.
Controls plugins (Flash, Java). Should be 'none' in modern apps.
Prevents clickjacking. Replaces X-Frame-Options header.
Restricts form submission targets. Prevents form hijacking attacks.