Content Security Policy — automated
CSP Report scans your site with a real browser, generates production-ready policies in six deployment formats, and monitors violations in real time so you can enforce with confidence.
What a Content Security Policy delivers for your team
Every CSP journey starts in Report-Only mode. CSP Report helps you collect real-world violations, refine your allowlists, and move to full enforcement only when you are ready — no production breakage required.
The browser evaluates the policy and issues violation reports without blocking resource loads. Use this mode to assess impact and refine directives before enforcement.
The browser applies the policy and blocks disallowed loads. Violations may still be reported when report-to or report-uri is configured. Adopt this header once Report-Only results are stable.
Go from zero to an enforced Content Security Policy in four steps — no CSP expertise required.
Enter a URL and CSP Report crawls up to 500 pages with real browser rendering, discovering every script, style, font, image, and frame your visitors load.
Get a suggested policy organized by directive. Approve, exclude, or adjust sources with full visibility into what each origin does and where it appears.
Export your policy in any format—HTTP header, meta tag, WordPress, Cloudflare, or JSON—and deploy in Report-Only mode to collect real-world violations safely.
Violation reports stream back automatically. Review what would break, refine your allowlists, and enforce with confidence when your policy is stable.
From first scan to full enforcement — the tools your team needs to build, deploy, and maintain a strong CSP without slowing down releases.
Real Chromium renders every page—capturing scripts, styles, fonts, images, and frames exactly as your visitors see them. No static-analysis guesswork.
Get a production-ready CSP header in six formats: HTTP header, meta tag, WordPress MU plugin, Cloudflare Workers, WP Engine, and JSON for any CDN or pipeline.
Deploy in Report-Only mode and stream real-world violations back via webhook. See exactly what would break before you enforce—no surprises in production.
One click compares your deployed CSP header against the suggested policy. Instantly spot drift, missing directives, or deployment gaps.
Share reports with a public link or email them directly to teammates. Everyone reviews the same findings—security, engineering, and compliance stay aligned.
Re-scan as your stack evolves. Violation digests (real-time, hourly, daily, or weekly) surface new third parties and regressions so your policy stays current.
One crawl, every format your team needs. From a simple HTTP header to a fully editable WordPress MU plugin with per-directive arrays—deploy anywhere in minutes.
CSP Report does the heavy lifting. It discovers what your site loads, suggests the right directives, and guides you from Report-Only to full enforcement step by step.
Content Security Policy is your browser-level security perimeter. It declares exactly which origins may serve scripts, styles, frames, and other subresources — turning silent compromises into visible violations you can act on. The formal rules live in the W3C Content Security Policy Level 3 specification.
A Content Security Policy is your first line of defense. It tells the browser exactly which origins may serve scripts, styles, and subresources—stopping cross-site scripting and malicious injections before they execute.
Report-Only mode lets you see every violation before anything is blocked. Fix allowlists deliberately, validate with real traffic, and enforce only when you know nothing will break.
Security audits, SOC 2 reviews, and programs like BitSight and SecurityScorecard expect explicit control over executable content. A clear CSP documents that posture directly in the browser.