CSP Playground

Content-Security-Policy is the single most effective XSS mitigation we've ever shipped, and it's the one most teams either skip, deploy with 'unsafe-inline', or copy-paste from the internet without understanding. This lab fixes that.

~90%of CSP deployments in the wild include 'unsafe-inline'on script-src, neutralizing most of the XSS protection.

2 linesis all a strict, nonce-based CSP needs. The rest is migration work.

0 reportsis what you get without report-uri / report-to. Most policies break silently.

Four things in this lab

Analyzer

Paste any CSP string. The analyzer flags the patterns I flag in client engagements: 'unsafe-inline', 'unsafe-eval', wildcards, missing object-src, missing base-uri, no nonce, no report endpoint. Twelve rules, severity-ranked, with fixes.

Open analyzer →

Sandbox

Live iframe enforcing whatever CSP you paste, with every violation piped into a console mirror. Ten preset bypass scenarios (JSONP-on-allowlist, dangling-markup, 'strict-dynamic' without a nonce, eval, etc.) you can load with one click and watch fail or pass in real time.

Open sandbox →

Four shapes

The four canonical CSP shapes I see in practice — fully open, allowlist, nonce, strict-dynamic — with the actual headers and what each one actually blocks. Use it to pick the right starting point.

Compare →

Bypasses

Why CDN allowlists fail (JSONP endpoints), why base-uri matters more than people think, the dangling-markup attack, and what you give up when you ship 'unsafe-inline' "just for now."

Read →

Read in order if you're new

Read Four shapes to understand the design space.
Drop your real prod CSP into the analyzer. Most people are surprised.
Open the sandbox and step through the ten scenarios. The bypasses become obvious once you see them fire (or silently not fire) in a real iframe.
Skim Bypasses for the consulting framing of the same patterns.