🚨 Content Security Policy (CSP) Demonstration
⚠️ Current CSP Mode: NONE
CSP Header:
None
Description:
No CSP - completely vulnerable
Test Different CSP Configurations:
No CSP
Weak CSP
Strong CSP
XSS Test Buttons (click to test CSP effectiveness):
Test Inline Script
Test eval()
Test Function Constructor
External Resource Tests:
Try loading external JavaScript:
Load External Script
CSP Vulnerability Analysis:
'unsafe-inline'
allows inline scripts and styles - defeats XSS protection
'unsafe-eval'
allows eval(), Function constructor - enables code injection
Wildcards (*)
allow loading from any domain - bypasses restrictions
Missing CSP
provides no protection against XSS attacks
What you should see:
No CSP:
All scripts execute successfully
Weak CSP:
All scripts still execute (CSP allows unsafe operations)
Strong CSP:
Most scripts blocked by CSP (check console for violations)