CSP rollout simulator

Paste your existing violation reports. See exactly what would still break if you tightened your CSP to a stricter policy.

Tightening a Content-Security-Policy is the right thing to do — and a great way to break production unannounced. This tool replays the violation reports you're already collecting against a proposed stricter policy. You see exactly which URIs would start failing, which existing failures would clear, and which hosts to allowlist before you flip the switch. The CSP parser runs entirely in your browser; nothing leaves the page.

Current CSP

Proposed CSP

Violation reports

JSON array or one report per line

[
  {
    "csp-report": {
      "document-uri": "https://app.example.com/checkout",
      "violated-directive": "script-src",
      "effective-directive": "script-src-elem",
      "blocked-uri": "https://js.stripe.com/v3/",
      "status-code": 200
    }
  },
  {
    "csp-report": {
      "document-uri": "https://app.example.com/dashboard",
      "violated-directive": "script-src",
      "effective-directive": "script-src-elem",
      "blocked-uri": "https://cdn.segment.com/analytics.js/v1/abc/analytics.min.js",
      "status-code": 200
    }
  },
  {
    "csp-report": {
      "document-uri": "https://app.example.com/",
      "violated-directive": "script-src",
      "effective-directive": "script-src-elem",
      "blocked-uri": "https://cdn.segment.com/analytics.js/v1/abc/analytics.min.js",
      "status-code": 200
    }
  },
  {
    "csp-report": {
      "document-uri": "https://app.example.com/",
      "violated-directive": "style-src",
      "effective-directive": "style-src-elem",
      "blocked-uri": "inline",
      "script-sample": "inline-style:transform:translateY(0)",
      "status-code": 200
    }
  },
  {
    "csp-report": {
      "document-uri": "https://app.example.com/",
      "violated-directive": "img-src",
      "effective-directive": "img-src",
      "blocked-uri": "https://i.imgur.com/abc.png",
      "status-code": 200
    }
  }
]

Click Simulate to run the proposed policy against your reports.

How matching works

For each report we resolve the effective directive against the policy, falling back to default-src when missing. The blocked URL is checked against the source list with basic awareness of *.host wildcards, scheme sources, port suffixes, and CSP keywords. When the report doesn't carry enough info to be sure (for example, a nonce-based allowance for an inline script), we mark the row uncertain and treat it as blocked — better to investigate one extra row than to ship a regression.

Want this on every error automatically?

GlitchReplay does this on every event you capture. Sentry-SDK compatible, flat-rate pricing, session replay included — built on Cloudflare so a bad deploy will never blow up your bill.

Get started — free Read the docs