Content Security Policy reporting and enforcement made easy

Scan your site, generate a production-ready Content Security Policy, and connect the dots with actionable reports all from one dashboard, or your inbox.

https://Free scan

14-day Pro trial included — no credit card required.

Why your site needs a Content Security Policy

Content Security Policy is your browser-level security perimeter. It declares exactly which origins may serve scripts, styles, frames, and other subresources — turning silent compromises into visible violations you can act on. The formal rules live in the W3C Content Security Policy Level 3 specification.

  • Block XSS and supply-chain attacks

    A Content Security Policy is your first line of defense. It tells the browser exactly which origins may serve scripts, styles, and subresources—stopping cross-site scripting and malicious injections before they execute.

  • Ship with confidence, not crossed fingers

    Report-Only mode lets you see every violation before anything is blocked. Fix allowlists deliberately, validate with real traffic, and enforce only when you know nothing will break.

  • Meet compliance requirements faster

    Security audits, SOC 2 reviews, and programs like BitSight and SecurityScorecard expect explicit control over executable content. A clear CSP documents that posture directly in the browser.

Want a deeper introduction? Read: What is a Content Security Policy?

How it works

Go from zero to an enforced Content Security Policy in four steps — no CSP expertise required.

  1. 1

    Scan your site

    Enter a URL and Consepo crawls your site with real browser rendering, discovering the scripts, styles, fonts, images, and frames your visitors actually load across the pages your plan covers.

  2. 2

    Review and refine

    Get a suggested policy organized by directive. Approve, exclude, or adjust sources with full visibility into what each origin does and where it appears.

  3. 3

    Deploy in Report-Only

    Export your policy in any format—HTTP header, meta tag, WordPress, Cloudflare, or JSON—and deploy in Report-Only mode to collect real-world violations safely.

  4. 4

    Monitor and enforce

    Violation reports stream back automatically. Review what would break, refine your allowlists, and enforce with confidence when your policy is stable.

Start safe, then enforce

Every CSP journey starts in Report-Only mode. Consepo helps you collect real-world violations, refine your allowlists, and move to full enforcement only when you are ready — no production breakage required.

Content-Security-Policy-Report-Only

The browser evaluates the policy and issues violation reports without blocking resource loads. Use this mode to assess impact and refine directives before enforcement.

Content-Security-Policy

The browser applies the policy and blocks disallowed loads. Violations may still be reported when report-to or report-uri is configured. Adopt this header once Report-Only results are stable.

Content Security Policy Level 3 — W3C specification

Get started

Sign up for Consepo for free

Run unlimited browser-rendered CSP scans, generate production-ready policies, and export deployment snippets — no credit card required.

Create free accountRun a free scan

All the tools you need to feel confident in your website's Content Security Policy

From first scan to full enforcement — the tools your team needs to build, deploy, and maintain a strong CSP without slowing down releases.

  • Browser-rendered crawling

    Real Chromium renders every page—capturing scripts, styles, fonts, images, and frames exactly as your visitors see them. No static-analysis guesswork.

  • Ready-to-deploy policies

    Get a production-ready CSP header in six formats: HTTP header, meta tag, WordPress MU plugin, Cloudflare Workers, WP Engine, and JSON for any CDN or pipeline.

  • Violation monitoring

    Your scanner covers crawlable pages, but checkout flows, login walls, and dynamic routes need real user sessions. Monitoring captures violations from every page your visitors actually use — closing the gaps a crawler can't reach.

  • Live policy validation

    One click compares your deployed CSP header against the suggested policy. Instantly spot drift, missing directives, or deployment gaps.

  • Team collaboration

    Share reports with a public link or email them directly to teammates. Everyone reviews the same findings—security, engineering, and compliance stay aligned.

  • Continuous iteration

    Re-scan as your stack evolves. Violation digests (real-time, hourly, daily, or weekly) surface new third parties and regressions so your policy stays current.

  • Multi-platform export

    One crawl, every format your team needs. From a simple HTTP header to a fully editable WordPress MU plugin with per-directive arrays—deploy anywhere in minutes.

  • No expertise required

    Consepo does the heavy lifting. It discovers what your site loads, suggests the right directives, and guides you from Report-Only to full enforcement step by step.

14-day Pro trial

Try Consepo Pro free for 14 days

Real-time violation monitoring, multi-platform exports, team collaboration, and unlimited scans. No credit card required to start.

Start your 14-day trialCompare plans