← marwandiallo.comlabs

CSP & Headers Analyzer

Two modes: paste a CSP string for a 12-rule audit, or scan a live URL to fetch its real response headers and run the full headers + SRI ruleset. Export to SARIF for GitHub Code Scanning.

2 high · 3 medium · 3 low · 1 info
highCSP02'unsafe-inline' on script-src · script-src

'unsafe-inline' allows inline <script> blocks and event-handler attributes — the vast majority of XSS payloads. It defeats most of CSP's purpose.

fix: Replace inline scripts with nonce-CSP (nonce-* + 'strict-dynamic') or hashes. The nonce approach is what frameworks like Next.js generate at request time.

highCSP04Wildcard or scheme-only source in script-src · script-src

* and bare scheme sources (https:, http:) defeat CSP's allowlist by trusting the entire web.

fix: Use 'self', explicit hosts, or a nonce-based policy with 'strict-dynamic'.

mediumCSP06object-src not set to 'none' · object-src

<object>, <embed>, and <applet> can load Flash and PDF plugins that historically have been XSS surfaces. Modern apps almost never need them.

fix: Add object-src 'none' explicitly.

mediumCSP07base-uri not set · base-uri

Without base-uri, an XSS that injects <base href> can rewrite all relative URLs on the page to attacker-controlled origins (the dangling-markup attack).

fix: Add base-uri 'self' or base-uri 'none'.

mediumCSP08frame-ancestors not set · frame-ancestors

frame-ancestors is the modern replacement for X-Frame-Options. Without it, anyone can embed your app in an iframe and clickjack.

fix: Add frame-ancestors 'none' (or 'self' if you self-frame).

lowCSP09form-action not set · form-action

Without form-action, an injected <form> can post credentials to attacker-controlled origins.

fix: Add form-action 'self' to restrict where forms can submit.

lowCSP10'unsafe-inline' on style-src · style-src

Less dangerous than on scripts but still enables CSS-based data exfiltration (font ligatures, attribute selectors, scrollbar tricks).

fix: Use nonces for style as well, or move to a CSS-in-JS solution that emits with the same nonce.

lowCSP11No CSP reporting configured

Without report-uri or report-to, CSP violations happen silently. You won't see in-the-wild XSS attempts or accidental policy breakage.

fix: Add a report-to endpoint (modern) or report-uri (legacy). Even logging to your own server is a huge upgrade.

infoCSP12upgrade-insecure-requests not set

Optional. If your app may load from a mix of http:// and https:// origins, this directive auto-upgrades requests, blocking mixed content.

fix: Add upgrade-insecure-requests if you serve over HTTPS and may have legacy http:// references.

What this checks

Paste mode runs 12 CSP rules (CSP01–CSP12) against any policy string. Scan mode fetches a live URL and runs the same CSP rules plus 12 security-headers rules (HDR01–HDR12: HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP/COEP, version banners) and a Subresource Integrity check on cross-origin <script> tags.

Both modes export to SARIF v2.1.0 — paste the file into a GitHub Code Scanning workflow and findings show up in the Security tab.

Out of scope (for now): require-trusted-types-for, trusted-types, sandbox, per-element directives like script-src-attr, and DNS-rebinding-aware IP re-resolution. Those need a Node runtime; the scanner runs on Edge.