Skip to main content
CheckTown
Validadores

Validacion CSP: verifique los encabezados Content Security Policy

Publicado 5 min de lectura
En este artículo

What Is CSP Validation?

Content Security Policy (CSP) validation checks whether your CSP header or meta tag correctly defines which resources the browser is allowed to load. A misconfigured CSP can either block legitimate resources, breaking your site, or be too permissive, leaving security gaps.

CSP is one of the most powerful browser security mechanisms against cross-site scripting (XSS) and data injection attacks. However, its directive syntax is complex and a single misplaced keyword can fundamentally change what the policy allows.

How the CSP Validator Works

CheckTown's CSP validator parses your policy string and checks for syntax errors, security risks, and common misconfigurations.

  • Directive parsing — validates each directive name and its source values against the CSP specification
  • Security analysis — flags overly permissive sources like unsafe-inline, unsafe-eval, and wildcard domains
  • Deprecation warnings — identifies deprecated directives and suggests their modern replacements

Pruébalo gratis — sin registro

Validate Your CSP →

Key CSP Directives

CSP uses directives to control which types of resources can be loaded and from where.

  • default-src — fallback policy for all resource types not covered by more specific directives
  • script-src — controls which scripts can execute, the most critical directive for XSS prevention
  • style-src — defines allowed sources for CSS stylesheets and inline styles

When To Use CSP Validation

CSP validation is essential before deploying any changes to your security headers.

  • Policy development — validate CSP rules while writing them to catch syntax errors before deployment
  • Security audits — check existing CSP headers for overly permissive configurations
  • CI pipelines — automate CSP validation as part of your deployment process

Frequently Asked Questions

What does unsafe-inline mean and when is it needed?

unsafe-inline allows inline scripts and styles to execute. It significantly weakens XSS protection but is sometimes needed for legacy code. Prefer nonce-based or hash-based allowlists as alternatives.

Can CSP break my website?

Yes. An overly strict CSP will block legitimate resources your site depends on. Always test new policies in report-only mode first using Content-Security-Policy-Report-Only before enforcing them.

Should I use CSP meta tags or HTTP headers?

HTTP headers are preferred because they support all directives and cannot be modified by injected code. Meta tags do not support frame-ancestors and report-uri directives.

Herramientas relacionadas

Validacion robots.txt: verifique las directivas de rastreo SEOAprenda como la validacion robots.txt detecta errores que ocultan paginas.Leer artículo → Validacion de sitemap: verifique el formato XML y las URLsAprenda como la validacion de sitemap ayuda a los motores de busqueda a indexar sus paginas.Leer artículo → Validador JWT: Verifique la estructura y las claims de JSON Web TokensAprenda como funciona la validacion JWT y las mejores practicas de seguridad.Leer artículo →
Volver al Blog