CSP Report Analyzer
Diagnose security headers and policies in your browser. No input is sent to a server. Use it for first-pass checks before rollout.
Status
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Paste CSP report JSON and click Parse. Use the summarized directive/source info to narrow fix candidates.
Notes (this tool)
- Report fields vary by browser and reporting spec. Missing fields are not always errors.
- Do not decide from single reports; collect frequency and reproduction patterns before policy changes.
About this page
What does this tool do?
Parses CSP reports (report-to/report-uri) and summarizes violations.
Debugging workflow (recommended)
- Paste CSP report JSON
- Check violations
- Validate policy with CSP Inspect
Recommendations (practical)
- Roll out with report-only first
- Prioritize frequent directives
- Use nonce/hash to remove unsafe-inline
Related tools
- CSP Inspect
- CSP Builder
- Security Headers Audit
What this tool does
- Extract key CSP report fields
- List violations at a glance
Operational notes
- Recommended values are environment-dependent. Validate against functional requirements before applying.
- In production, use phased rollout with report monitoring.
Referenced specs
- MDN: CSP Reports
FAQ
How should CSP report noise be handled?
Group duplicate root causes and prioritize by both frequency and impact.
How should report-only and enforce be used?
Start with report-only to observe violations, then move to enforce after fixes.
References
Page-specific case studies
Use this page to separate noisy CSP reports from high-impact violations.
- Group violations by violated-directive to understand frequency.
- Analyze blocked-uri patterns by domain.
- Deduplicate repeated reports caused by the same issue.
Page-specific implementation checklist
- Prioritize fixes by both volume and business impact.
- Add filtering rules for known report noise.
- Measure violation reduction quantitatively after fixes.
- Regularly audit policy drift against real-world behavior.
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- Permissions-Policy Inspect — Parse Permissions-Policy and review feature restrictions
- CSP Inspect — Parse and evaluate CSP directives
- Referrer-Policy Inspect — Parse Referrer-Policy and check referrer exposure
- CSP Builder — Build CSP policies from templates
- Security Headers Audit — Audit presence of major security headers
- Security Headers Recommendation — Suggest recommended values for missing headers
- Security Headers Fix Plan — Create a prioritized header-fix plan
- CSP Nonce/Hash Helper — Generate and verify CSP nonce/hash values
Same-theme links
Security Headers
Go from missing-header detection to concrete fix planning
- Security Headers Audit — Audit presence of major security headers
- Security Headers Recommendation — Suggest recommended values for missing headers
- Security Headers Fix Plan — Create a prioritized header-fix plan
- CSP Nonce/Hash Helper — Generate and verify CSP nonce/hash values
- CSP Builder — Build CSP policies from templates
- CSP Inspect — Parse and evaluate CSP directives
- HSTS Inspect — Parse HSTS to verify HTTPS enforcement
- Permissions-Policy Inspect — Parse Permissions-Policy and review feature restrictions
- Referrer-Policy Inspect — Parse Referrer-Policy and check referrer exposure
- X-Frame-Options Inspect — Parse X-Frame-Options to validate clickjacking protection
- X-Content-Type-Options Inspect — Parse X-Content-Type-Options and validate nosniff