CSP Evaluator is a tool that allows developers to check if a Content Security Policy (CSP) serves as mitigation against XSS attacks.
CSP Evaluator is a small tool that allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks. Reviewing CSP policies is usually a very manual process and most developers are not aware of CSP bypasses. CSP Evaluator checks are based on a large-scale empirical study and are aimed to help developers to harden their CSP. This tool is provided only for the convenience of developers and Google provides no guarantees or warranties for this tool.
- (2019-11-07) Escape Velocity: cool. May be better if it's possible to add/remove CSP directives so I can test without deploying codes lol
- (2019-10-29) Luc van Fol: doesn't detect CSP in page meta tags
- (2019-04-17) Loki Wijnen: Doesn't detect CSP on any websites I tested!
- (2018-07-05) Ronald Reagan: Спасибо!
- (2018-01-30) Binyamin Laukstein: Where to post the issues? It shows 'Directive "prefetch-src" is not a known CSP directive.', https://w3c.github.io/webappsec-csp/#directive-prefetch-src
- (2017-01-21) Dario Alpern: It appears that the extension does not consider CSP in meta tags.
- (2016-09-29) iphon4ik: Супер!