CSP Bypass Analyzer
Last updated:
Parses the site's Content-Security-Policy from HTTP headers and meta tags. Identifies every exploitable bypass: unsafe-inline, unsafe-eval, wildcard origins, JSONP-capable CDN whitelists (cdnjs, googleapis, jsdelivr), missing frame-ancestors, base-uri gaps, object-src omissions, and overly permissive connect-src. Rates overall exploitability.
Drag to your bookmarks bar:
🧱 Analyze CSPRuns on any website — all processing in your browser.
Install the bookmarklet, then use it on any website
CSP Bypass Analyzer
Content-Security-Policy is the most important browser security header — when properly configured, it prevents XSS attacks entirely. But most CSPs are misconfigured with bypass vectors like unsafe-inline, JSONP-capable CDN whitelists, and missing directives.
Common Bypasses
unsafe-inline allows inline script injection. Whitelisting CDNs like cdnjs.cloudflare.com or ajax.googleapis.com allows CSP bypass via JSONP callbacks hosted on those CDNs. Missing base-uri allows base tag injection.
- CSP
- Content-Security-Policy — an HTTP header that restricts which sources can load scripts, styles, images, and other resources on a page.
🧱 CSP Bypass Analyzer — FAQ
What is a JSONP bypass?
CDNs that host JSONP endpoints (like cdnjs) allow attackers to execute arbitrary callbacks. Whitelisting these CDNs in script-src defeats the CSP.
Is unsafe-inline always bad?
In script-src, yes — it allows inline script injection. In style-src, it's less dangerous but still not ideal. Nonces or hashes are preferred.
What is Report-Only mode?
CSP Report-Only logs violations without blocking them. It's useful for testing but provides no actual protection.
What grade should I aim for?
Grade A with no critical findings. At minimum, set script-src without unsafe-inline and include frame-ancestors.
Can this fix my CSP?
It identifies problems — fixing requires updating your server's HTTP headers. Use the findings to prioritize changes.