new icon for nuget

Author: MPCoreDeveloper

PACKAGE.md

@@ -134,6 +134,13 @@ Both methods are defined in **`SafeWebCore.Extensions.ServiceCollectionExtension
 - 🔌 **Extensible** — custom `IHeaderPolicy` implementations
 - 📊 **CSP violation reporting** — built-in `/csp-report` endpoint using Reporting API v1
 
+## Validate Your Headers
+
+After deploying, test your security headers with:
+
+- **[securityheaders.com](https://securityheaders.com/)** — Grades all response headers A+ through F. With the Strict A+ preset you should score **A+** immediately.
+- **[Google CSP Evaluator](https://csp-evaluator.withgoogle.com/)** — Paste your `Content-Security-Policy` value to check for misconfigurations (missing `object-src`, `'unsafe-inline'` without nonce, missing `'strict-dynamic'`, etc.).
+
 ## Documentation
 
 Full documentation: [github.com/MPCoreDeveloper/SafeWebCore/docs](https://github.com/MPCoreDeveloper/SafeWebCore/tree/master/docs)

README.md

@@ -249,6 +249,31 @@ dotnet-coverage collect -f cobertura -o coverage.cobertura.xml dotnet test
 
 ---
 
+## ✅ Validate Your Security Headers
+
+After deploying your application, verify your headers with these tools:
+
+### 1. [securityheaders.com](https://securityheaders.com/)
+
+Scans **all** response headers and grades your site **A+** through **F**. Validates HSTS, CSP, X-Frame-Options, Permissions-Policy, Referrer-Policy, and more.
+
+> With SafeWebCore's Strict A+ preset you should score **A+** immediately.
+
+### 2. [Google CSP Evaluator](https://csp-evaluator.withgoogle.com/)
+
+Paste your `Content-Security-Policy` header value to check for common CSP misconfigurations:
+- ❌ Missing `object-src 'none'`
+- ❌ `'unsafe-inline'` without a nonce or hash
+- ❌ Missing `'strict-dynamic'` for trust propagation
+- ❌ Overly permissive wildcards (`*`, `https:`)
+- ✅ Nonce-based policy with `'strict-dynamic'` (SafeWebCore default)
+
+### 3. Browser DevTools
+
+Open **DevTools → Network tab → Response Headers** to inspect headers on every request. Any CSP violations will also appear in the **Console** tab.
+
+---
+
 ## 🤝 Contributing
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.

docs/csp-configuration.md

@@ -365,3 +365,58 @@ SafeWebCore correctly handles deprecated directives:
 | `block-all-mixed-content` | `[Obsolete]` — modern browsers block mixed content by default | `upgrade-insecure-requests` |
 
 Both deprecated directives are excluded from `CspBuilder` but remain available on `CspOptions` with `[Obsolete]` attributes and compiler warnings.
+
+---
+
+## Validate Your CSP
+
+After deploying your application, always validate your Content Security Policy using these tools:
+
+### [securityheaders.com](https://securityheaders.com/)
+
+Scans **all** response headers and grades your site **A+** through **F**. It checks:
+- Content-Security-Policy presence and quality
+- Strict-Transport-Security (HSTS)
+- X-Frame-Options / frame-ancestors
+- Permissions-Policy
+- Referrer-Policy
+- X-Content-Type-Options
+- Cross-Origin policies (COEP, COOP, CORP)
+
+> 💡 With SafeWebCore's Strict A+ preset you should score **A+** immediately.
+
+**How to use:**
+1. Deploy your application to a public URL (or use a tunnel like ngrok for local testing)
+2. Visit [securityheaders.com](https://securityheaders.com/)
+3. Enter your URL and click **Scan**
+4. Review the grade and any missing headers
+
+### [Google CSP Evaluator](https://csp-evaluator.withgoogle.com/)
+
+Google's dedicated CSP analyzer checks your policy for common misconfigurations:
+
+| Check | SafeWebCore Default |
+|-------|-------------------|
+| Missing `object-src` | ✅ Set to `'none'` |
+| `'unsafe-inline'` without nonce/hash | ✅ Uses nonce-only |
+| Missing `'strict-dynamic'` | ✅ Enabled by default |
+| Missing `base-uri` | ✅ Set to `'none'` |
+| Overly permissive wildcards (`*`) | ✅ No wildcards in defaults |
+| Missing `script-src` | ✅ Nonce + strict-dynamic |
+
+**How to use:**
+1. Open your site in the browser and copy the `Content-Security-Policy` header value from DevTools (Network tab → Response Headers)
+2. Visit [csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com/)
+3. Paste the header value and click **Check CSP**
+4. Review the findings — green means safe, yellow/red means attention needed
+
+### Browser DevTools
+
+Your browser also reports CSP violations in real-time:
+
+1. Open **DevTools** (F12)
+2. **Network tab** → Click any request → **Response Headers** to see the full CSP header
+3. **Console tab** → Any CSP violations will appear as errors with the blocked resource and violated directive
+4. Use this during development to catch issues before deployment
+
+> ⚠️ **Important:** Always test in production (or staging) with the real CSP header. Development servers may not have all headers enabled.

docs/getting-started.md

@@ -121,6 +121,19 @@ content-security-policy: default-src 'none'; script-src 'nonce-abc123...' 'stric
 3. Enter your URL and scan
 4. You should see an **A+** rating
 
+This tool grades **all** security headers (HSTS, CSP, X-Frame-Options, Permissions-Policy, etc.) from A+ through F.
+
+### Option D: Google CSP Evaluator
+
+1. Copy the `Content-Security-Policy` header value from DevTools or `curl` output
+2. Visit [csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com/)
+3. Paste the header value and click **Check CSP**
+4. All checks should be green with SafeWebCore's defaults
+
+Google's CSP Evaluator checks for common misconfigurations like missing `object-src`, `'unsafe-inline'` without nonce, and missing `'strict-dynamic'`.
+
+> 💡 **Tip:** Always validate with both tools after any CSP changes. See the [CSP Configuration Guide](csp-configuration.md#validate-your-csp) for detailed usage instructions.
+
 ## Next Steps
 
 | Topic | Link |

icon.png

@@ -54,6 +54,16 @@ namespace SafeWebCore.Builder;
 /// <c>.ScriptSrc("'sha256-abc123...' 'strict-dynamic'")</c>. This is a CSP Level 3 feature for
 /// allowing specific inline scripts/styles by their SHA-256, SHA-384, or SHA-512 digest.
 /// </para>
+/// <para>
+/// <b>Validate your policy:</b> After deploying, test your CSP headers using these tools:
+/// </para>
+/// <list type="bullet">
+///   <item><description><see href="https://securityheaders.com/">securityheaders.com</see> — Scans all response
+///   headers and grades your site A+ through F. Validates HSTS, CSP, Permissions-Policy, and more.</description></item>
+///   <item><description><see href="https://csp-evaluator.withgoogle.com/">Google CSP Evaluator</see> — Analyzes your
+///   Content-Security-Policy for common misconfigurations (e.g. missing <c>object-src</c>, <c>'unsafe-inline'</c>
+///   without nonce, missing <c>'strict-dynamic'</c>).</description></item>
+/// </list>
 /// </remarks>
 public sealed class CspBuilder
 {

src/SafeWebCore/Builder/CspBuilder.cs

@@ -33,6 +33,16 @@ namespace SafeWebCore.Options;
 /// Use <see cref="SafeWebCore.Builder.CspBuilder"/> for a fluent API, or C# <c>with</c> expressions
 /// to modify individual directives from a preset.
 /// </para>
+/// <para>
+/// <b>Validate your policy after deployment:</b>
+/// </para>
+/// <list type="bullet">
+///   <item><description><see href="https://securityheaders.com/">securityheaders.com</see> — Grades all security
+///   headers (A+ through F), including CSP, HSTS, Permissions-Policy, and X-Frame-Options.</description></item>
+///   <item><description><see href="https://csp-evaluator.withgoogle.com/">Google CSP Evaluator</see> — Analyzes your
+///   CSP for misconfigurations such as missing <c>object-src</c>, <c>'unsafe-inline'</c> without nonce, or
+///   missing <c>'strict-dynamic'</c>.</description></item>
+/// </list>
 /// </remarks>
 public record CspOptions
 {