CSP Header Generator
Build a Content-Security-Policy header visually. Strict preset, report-only mode or full custom control. Get Nginx, Apache and meta tag snippets ready to paste.
Free · No credit card · 50 credits/day
Three modes
A battle-tested strict policy: default-src 'self', no unsafe-inline, no unsafe-eval, object-src 'none', frame-ancestors 'none', upgrade-insecure-requests. Start here for new projects.
Content-Security-Policy: default-src 'self'; script-src 'self' 'strict-dynamic'; style-src 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests
Uses Content-Security-Policy-Report-Only — same rules but never blocks anything, only sends violation reports. Perfect for testing a new policy on a live site before enforcing.
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report
Build your own policy directive by directive. Set specific sources for scripts, styles, images, fonts, frames, connections, forms and more. Warnings highlight unsafe values.
Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com; img-src 'self' data: https:; ...
CSP directives reference
All 15 directives the generator supports.
default-src
Fallback for all resource types not explicitly set. Set 'self' as a safe baseline.
script-src
Which scripts can execute. Avoid 'unsafe-inline' — use nonces or hashes. 'strict-dynamic' is the modern approach.
style-src
Which stylesheets can be applied. 'unsafe-inline' allows inline <style> blocks.
img-src
Which images can be loaded. 'data:' is needed for base64 images; 'https:' allows any HTTPS image.
connect-src
fetch(), XHR, WebSocket and EventSource connections. Restrict to your own API domains.
font-src
Web font sources. If using Google Fonts add https://fonts.gstatic.com.
frame-src
Which domains can be loaded in <iframe>. Use 'none' unless you embed third-party content.
media-src
Audio and video sources.
object-src
Flash, plugins, <object> and <embed>. Always set to 'none' — no modern site needs plugins.
form-action
Which URLs forms can submit to. Prevents form hijacking by injected forms.
base-uri
Restricts URLs in <base> elements. Set to 'self' or 'none' to prevent base-tag injection.
frame-ancestors
Which pages can embed this page in an iframe. Supersedes X-Frame-Options. Use 'none' to block all embedding.
upgrade-insecure-requests
Automatically upgrades HTTP resource requests to HTTPS. Useful for legacy content with mixed URLs.
block-all-mixed-content
Blocks HTTP resources on HTTPS pages (stricter than upgrade-insecure-requests which upgrades them).
report-uri
Endpoint to receive JSON violation reports when the policy is violated. Use with report-only during testing.
Source value cheatsheet
Frequently asked questions
Build your CSP header now
Free account. 50 credits per day. Access to 75+ tools instantly.
Create free account →