Home Tools Pricing API Docs About Sign in Get started

CSP / CORS Analyzer

Web Security

Grade a site’s Content-Security-Policy and cross-origin exposure with actionable findings.

What is CSP / CORS Analyzer?

CSP / CORS Analyzer parses a target’s Content-Security-Policy and evaluates how effectively it mitigates XSS and data injection, while also examining cross-origin exposure. It highlights the weak directives that quietly defeat the policy.

A CSP can look present yet be trivially bypassable — this tool tells the difference and explains how to tighten it.

What it analyzes

Directive coverage — script-src, object-src, base-uri, frame-ancestors and friends.
Weakness detection — unsafe-inline, unsafe-eval, overly broad wildcards and missing fallbacks.
Bypass hints — common ways the configured policy could be circumvented.
CORS exposure — how the cross-origin settings interact with the policy.

Where it fits in your workflow

→Assess whether a CSP genuinely blocks XSS or just looks like it does.
→Produce concrete directive fixes for a hardening report.

Use CSP / CORS Analyzer

Run it from your dashboard.

Create free account Sign in Use via API

At a glance

CategoryWeb Security

RunsServer-side

Token cost 3 / run (free tier)

AccessFree

Status● Live

Frequently asked questions

Why is unsafe-inline a problem?

It allows inline scripts and event handlers to run, which is exactly what most XSS relies on — so a policy with unsafe-inline offers little real protection against script injection.

Explore more tools →