CSP Report-Only Analyzer

1) Paste violations

Supports common Chrome/Firefox console strings and JSON bodies containing csp-report.

Violations (one per line or raw JSON) Suggested policy fragments

---

2) Merge into an existing CSP (optional)

Paste your current CSP header value below, then merge suggestions into it (union sources per directive).

Existing CSP (header value) Merged CSP

This tool suggests additions; it cannot know your full intent. Prefer least privilege and avoid wildcards.

How to use

• Run with Content-Security-Policy-Report-Only first to collect violations.
• Paste console lines OR your reporting endpoint JSON payloads.
• Apply results to your CSP (see /csp.html), then iterate.

Safety notes

• Avoid adding *, 'unsafe-inline', 'unsafe-eval' unless you accept the risk.
• Prefer host-only sources like https://cdn.example.com (not full paths).
• Inline violations often indicate missing nonce/hash (see /csp-nonce.html and /csp-hash.html).