CSP Test

Violate img-src with ftp: scheme.

<img src="ftp://example.com/ftp.png">

Violate iframe with example.com

<iframe src="https://example.com"></iframe>

Generate a blocked-uri value of 'about'

<script src="about:blank"></script>

Test a CSP directive with a path. If the image loads, your browser supports paths in CSP.

<img src="https://securityheaders.io/images/security-headers.png">

Test if the CSP send the path of the blocked asset.

<img src="https://securityheaders.io/images/blocked.png">

Generate an inline violation to see how it is reported.


This script shouldn't load, it doesn't exist.

<script src="https://platform.twitter.com/does-not-exist.js"></script>

Test upgrade-insecure-requests with an upgrade.

<img src="http://scotthelme.co.uk/upgrade.png">