CSP Playground

Content-Security-Policy is the single most effective XSS mitigation we've ever shipped, and it's the one most teams either skip, deploy with 'unsafe-inline', or copy-paste from the internet without understanding. This lab fixes that.

~90%of CSP deployments in the wild include 'unsafe-inline'on script-src, neutralizing most of the XSS protection.

2 linesis all a strict, nonce-based CSP needs. The rest is migration work.

0 reportsis what you get without report-uri / report-to. Most policies break silently.

Three things in this lab

Analyzer

Paste any CSP string. The analyzer flags the patterns I flag in client engagements: 'unsafe-inline', 'unsafe-eval', wildcards, missing object-src, missing base-uri, no nonce, no report endpoint. Twelve rules, severity-ranked, with fixes.

Open analyzer →

Four shapes

The four canonical CSP shapes I see in practice — fully open, allowlist, nonce, strict-dynamic — with the actual headers and what each one actually blocks. Use it to pick the right starting point.

Compare →

Bypasses

Why CDN allowlists fail (JSONP endpoints), why base-uri matters more than people think, the dangling-markup attack, and what you give up when you ship 'unsafe-inline' "just for now."

Read →

Read in order if you're new

Read Four shapes to understand the design space.
Drop your real prod CSP into the analyzer. Most people are surprised.
Skim Bypasses to know what your policy is and isn't actually defending against.