This tool only detects the presence of a security policy in the header response. It doesn’t validate any policies for best practices. Therefore, even if you have a ‘Content Security Policy’ with a wildcard, it will still pass as having detected a valid ‘Content Security Policy’.
The tool was designed to help you quickly check if your server is sending response headers that have the above security policies in them. The tool adds 11 points for every detection of a security policy in the header response.
Disclosure: This post may contain affiliate links which means I may receive a commission for purchases made through links. I will only recommend products that I have personally used! Learn more on my Private Policy page.