Input is processed only in the active browser tab's memory and is not sent to a ByteQuant server.
CSP Builder & Auditor
Parses CSP directives locally and reports missing baseline directives, wildcards, HTTP, unsafe-eval, and script unsafe-inline signals. The generated starter must be tested in Report-Only mode against real dependencies before enforcement.
The result will appear here.
Input and output are not stored. The optional usage counter keeps only tool identity and count, never content.
Output comes from disclosed rules or browser APIs and needs independent review before high-impact use.
A result in three steps
- 01
Paste the current CSP or load the secure starter.
- 02
Run structural audit and review high/medium findings.
- 03
Test in Report-Only mode on the real site and refine it from violation reports.
When is this tool useful?
- ✓ CSP starting point for web apps
- ✓ Security-header reviews
- ✓ Third-party source inventory
Automated output is a preliminary assessment. Do not use it alone for legal, financial, medical, or security-critical decisions.
Guides for this tool
Making Decisions Auditable: Loans, AI Rubrics, and CSP
Transparent formulas, weighted human evaluation, and staged CSP adoption for higher-impact decisions.
Read guide →Frequently asked questions
Does this tool send input to a server?+
No. Processing runs in this browser tab. Data leaves the page only when you choose to copy or download the result.
Is the result definitive?+
The tool produces consistent output from disclosed rules and browser APIs, but context, data quality, and method limitations can affect it. Verify high-impact decisions.
Is input saved?+
No. Tool input is not persisted. With consent, only tool identity and usage count may be kept on this device for personal shortcuts.