CentralCSP
Register

Chrome Extension · 100% free · No signup

Author, debug, ship
CSP headers.

Turn the browser into a Content-Security-Policy workbench. Observe live violations, rewrite the policy on the fly, or auto-build a strict header while you navigate, against real production pages, with no deploys.

Install for ChromeRead the 5-min deep dive

5.0600+ users on the Chrome Web Store

CentralCSPRec Clear
OffObserveRewriteBuild

Build mode Strict report-only base. Violations are processed and your policy is built while you navigate.

Reportslast 1mstacked by directive
30s1m5m
40
-1m-30snow
connect-src·18style-src·30
TimeDirectiveBlocked sourceDisp
  • 18:46:17style-src-attrinlineREPORT
  • 18:46:15style-src-attrinlineREPORT
  • 18:46:15connect-srchttps://www.googletagmanager.com/…REPORT
  • 18:46:13style-src-attrinlineREPORT
  • 18:46:11style-src-attrinlineREPORT
  • 18:46:11connect-srchttps://www.googletagmanager.com/…REPORT
  • 18:46:09style-src-attrinlineREPORT
  • 18:46:07style-src-attrinlineREPORT
  • 18:46:07connect-srchttps://www.googletagmanager.com/…REPORT
  • 18:46:05style-src-attrinlineREPORT
  • 18:46:03style-src-attrinlineREPORT
  • 18:46:03connect-srchttps://www.googletagmanager.com/…REPORT
  • 18:46:01style-src-attrinlineREPORT
frame-srcreport18:44:39

Parsed

effective directive
frame-src
blocked uri
https://www.youtube.com
document uri
https://shop.acme.com/checkout
disposition
report
type
csp-violation

Raw JSON

{
  "body": {
    "blockedURL": "https://www.youtube.com",
    "disposition": "report",
    "documentURL": "https://shop.acme.com/checkout",
    "effectiveDirective": "frame-src",
    "originalPolicy": "default-src 'none'; script-src",
    "sample": "",
    "statusCode": 200
  },
  "id": "37afb202-d570-4b63-9091-2381d4897594",
  "origin": "https://shop.acme.com",
  "tabId": 1751836402,
  "ts": 1778863479783,
  "type": "csp-violation"
}
Current policy build
PrettyRaw
default-src 'none';
script-src 'report-sample' 'report-sha256';
script-src-elem 'self' 'unsafe-inline' https://cdn.acme.com https://www.youtube.com https://www.gstatic.com;
script-src-attr 'none';
style-src 'none';
style-src-elem 'self' 'unsafe-inline';
style-src-attr 'self' 'unsafe-inline';
img-src 'self' data:;
font-src 'self';
connect-src 'self' https://www.googletagmanager.com;
frame-src https://www.youtube.com;
object-src 'none';
base-uri 'none';
form-action 'none';
frame-ancestors 'none'

Built for the engineer in the loop

The workbench for CSP headers.

3

Operating modes. Observe what the site enforces, Rewrite with your candidate, or Build from a strict base.

~5s

From editing the policy to seeing the next reload's violations stream back into the panel.

0

Accounts, telemetry, outbound calls. The whole workflow runs locally in your browser.

The loop

From install
to copy-ready header.

The whole cycle runs inside the browser. No staging environment, no crawler, no server change until you decide to ship the header.
  1. 01

    Install

    One click from the Chrome Web Store. The extension lives next to DevTools and stays off until you turn it on for a site.

  2. 02

    Pick a mode

    Observe to map current violations, Rewrite to test a candidate, or Build to auto-assemble a strict policy as you browse.

  3. 03

    Iterate

    Edit the policy in the panel. Every reload is a five-second feedback loop against real third-parties on a real page.

  4. 04

    Review & ship

    Walk the assembled policy line by line, swap any 'unsafe-inline' for nonces, drop dev-only hosts. Then copy and roll it out as Report-Only first, Enforce next.

The three modes

Observe,
Rewrite, Build.

One toolbar button switches between them. Each mode is a separate way of relating to the CSP header that's actually on the page right now.

  1. 01 / 03Mode

    Observe

    Leave the site's own CSP enforcing as-is and stream every violation it produces into the popup and DevTools panel. The fastest way to map what your current policy already breaks, line by line.
  2. 02 / 03Mode

    Rewrite

    Replace the site's headers with your candidate policy on the fly. Pick Enforce or Report-Only, choose Replace or Append, refresh the page, and watch your policy fail or pass against real traffic.
  3. 03 / 03Mode

    Build

    Automatically starts with a strict report-only base. Navigate the site the way a user would; the extension processes each violation and assembles a working policy you can copy into your server config.

Build mode

Strict base.
Policy assembles itself.

Build mode starts with a near-empty report-only policy. As you click through the site, each violation is captured, classified by directive, and folded into a candidate header. By the time you've walked the critical paths, you've got a policy grounded in what the page actually loads, not what a checklist guessed.
Mode
OffObserveRewriteBuild
Build active
Off

Extension idle. The site's own headers are untouched.

Observe

Watch the existing CSP enforce. Stream violations as they fire.

Rewrite

Replace the site's headers with your candidate policy. Iterate live.

BuildActive

Start strict, navigate the site, watch a working policy auto-assemble.

Rewrite mode

Replace the live header.
Watch what breaks.

Drop your candidate policy in. Pick Replace or Append. Pick Enforce or Report-Only. Refresh. The page now answers to your CSP, with violations streaming into the panel as they fire, including the document URI, the source file, line and column for inline blocks, and the raw violation JSON.
CentralCSPRec Clear
OffObserveRewriteBuild

Rewrite mode Your custom CSP replaces the site's headers. Violations against your policy are captured in real time.

Reportslast 1mstacked by directive
30s1m5m
550
-1m-30snow
font-src·1style-src·4script-src·37img-src·22
TimeDirectiveBlocked sourceDisp
  • 18:47:55script-src-eleminlineENFORCE
  • 18:47:55img-srchttps://shop.acme.com/assets/ap…ENFORCE
  • 18:47:55img-srchttps://shop.acme.com/favicon.…ENFORCE
  • 18:47:55img-srchttps://cdn.acme.com/products/…ENFORCE
  • 18:47:55img-srchttps://cdn.acme.com/banners/h…ENFORCE
  • 18:47:55script-src-elemhttps://cdn.acme.com/static/ap…ENFORCE
  • 18:47:55script-src-eleminlineENFORCE
  • 18:47:55img-srchttps://shop.acme.com/images/p…ENFORCE
  • 18:47:55style-src-eleminlineENFORCE

Reporting endpoints (from server)

report-uri
https://csp-reports.acme.com/legacy-endpo…
report-to
csp-endpoint → https://csp-reports.acme.…

Custom reporting endpoint

Reports go here via Reporting-Endpoints header + report-to.

https://csp-reports.example.com/<your-endpoint>
Current policy rewrite
Strategy
ReplaceAppend
Policy modeEnforce
default-src 'none';
script-src 'self' 'report-sha256';
report-to csp-endpoint;

What it is, what it isn't

A workbench,
not a watchtower.

The extension is for the engineer in the loop. For long-running collection and alerting, you want the hosted CentralCSP product. Here's the split.

Extension scope

What the extension does.

  • Rewrite the live CSP header in your browser on the fly.
  • Stream every violation in real time, with parsed and raw JSON.
  • Auto-build a strict policy from observed traffic in Build mode.
  • Hand you a copy-ready Content-Security-Policy header.
  • All data stays local. No accounts. No telemetry.

Out of scope

What the platform does.

Frequently asked

Questions developers ask.

Straight answers about how the extension works, what it touches, and where it stops. Missing yours? Ping us, we'll add it.

Product principle
A CSP you can't test against the real page isn't a CSP, it's a guess.

Free · No signup

Install it.
Ship a real CSP.

Add the extension, open a page that matters, pick a mode. Stop shipping a CSP you cannot test, ship one you have already watched the browser respect.
Install for ChromeTalk to us
    CentralCSP Chrome Extension. Author, debug, and roll out CSP headers | CentralCSP