How to find out if a Site has a Content Security Policy (CSP) deployed
There are a few methodologies to do so.
First keep in mind that CSP’s are deployed via a Response Header and/or Meta Tag and that will affect how you can visualize the deployed CSP.
- Response Header OPTION #1
- Utilize Google Chrome Developer Tools
- Go to the website of choice, open up Google Chrome Developer Tools
- Go to the Network Tab (#1)
- Look for first party delivered object, i.e. usually first on list in the Network TAB (#2)
- Look for a 200 OK Response item (#3)
- Scroll down to the Response Header Section (#4)
- See CSP in Response Header, IF Present
- Response Header – Option #2
- There is a Browser Extension Chrome that will automatically pull in the CSP (only the Response Header based CSP – Not the Meta Tag Version) Called the “CSP Evaluator”
- BE cautious – you do give extensions some clear access to your web data.
- Meta Tag
- Right click a blank area on the Site in Chrome
- Select ”View Page Source”
- When new Source window is opened, CTRL F to Find, Search on Content-Security-Policy to find Meta Tag based CSP (IF PRESENT)
All the best, Gus
If you'd like any help at all - reach out to firstname.lastname@example.org or directly to me.
Please sign in to leave a comment.