April 4, 2026
Your website just got a report card
Csp-toolkit – Python library to parse, analyze, and find bypasses in CSP headers
Python tool grades your site’s safety — GitHub aces, Facebook flunks, devs sweat
TLDR: A new Python tool, csp-toolkit, grades website security rules and finds real bypass tricks, crowning GitHub and dragging Facebook, Apple, and “report-only” Google/YouTube. The crowd cheers the bug-hunting power while developers worry it’ll fuel public shaming and debate how sites should report problems.
A new Python tool called csp-toolkit just walked into the room and handed out report cards for website safety — and the grades are spicy. Content Security Policy (CSP) is the browser’s “no bad scripts” rulebook, and this tool scans those rules, hunts for loopholes, and even suggests real-world tricks attackers might use. The shocker: GitHub scored A+ while Facebook, Netflix, and Apple face-planted with Fs, and Google/YouTube aren’t even enforcing their policies yet — they’re just “report-only.” Ouch.
The comment section lit up with equal parts applause and panic. One user, thitami, summed up the vibe: CSPs look fine until you realize someone flipped an “unsafe-inline” switch years ago and never turned it off. Security folks love that the tool’s “bypass finder” can flag risky whitelisted domains (think old-school JSONP endpoints), while developers groaned that this will turn every bug hunter’s recon into a highlight reel. Arguments broke out over the boring-but-important stuff too — like how sites should report violations (old “report-uri” vs newer “report-to”).
Meanwhile, the memes wrote themselves: GitHub as the teacher’s pet, Facebook and Apple in summer school, and Google getting side-eye for grading themselves but not enforcing. Try it yourself on PyPI — or hide your report card behind Google’s CSP Evaluator.
Key Points
- •csp-toolkit is a Python library and CLI that parses CSP headers, runs 21 weakness checks, finds bypass vectors, and grades policies A+ to F.
- •The tool’s bypass finder cross-references whitelisted domains against a database of 79 exploitable domains, including 66 JSONP domains, 13 CDN gadget domains (31 gadgets), and 18+ arbitrary hosting domains.
- •Version v0.6.2 is available on PyPI, with examples provided for command-line and Python usage; 15 CLI commands cover analysis, scanning, monitoring, diffs, and more.
- •csp-toolkit outputs specific bypass payloads and can verify live endpoints with a --check-live option.
- •Applied to top websites, csp-toolkit reported scores from A+ (GitHub 98) to F (Apple 8), citing issues like JSONP vectors, unsafe-inline/unsafe-eval, wildcards, report-only policies, and CSP2 downgrades.