All tools
Security tools

CSP Header Generator

Build a Content-Security-Policy header visually. Strict preset, report-only mode or full custom control. Get Nginx, Apache and meta tag snippets ready to paste.

Strict preset Report-only mode Custom builder 15 directives Nginx + Apache snippets
Get started free Sign in

Free · No credit card · 50 credits/day

Three modes

Strict

A battle-tested strict policy: default-src 'self', no unsafe-inline, no unsafe-eval, object-src 'none', frame-ancestors 'none', upgrade-insecure-requests. Start here for new projects.

Content-Security-Policy:
default-src 'self'; script-src 'self'
'strict-dynamic'; style-src 'self';
object-src 'none'; frame-ancestors 'none';
upgrade-insecure-requests
Report-only

Uses Content-Security-Policy-Report-Only — same rules but never blocks anything, only sends violation reports. Perfect for testing a new policy on a live site before enforcing.

Content-Security-Policy-Report-Only:
default-src 'self';
report-uri /csp-report
Custom

Build your own policy directive by directive. Set specific sources for scripts, styles, images, fonts, frames, connections, forms and more. Warnings highlight unsafe values.

Content-Security-Policy:
default-src 'self';
script-src 'self' cdn.example.com;
img-src 'self' data: https:;
...

CSP directives reference

All 15 directives the generator supports.

default-src

Fallback for all resource types not explicitly set. Set 'self' as a safe baseline.

script-src

Which scripts can execute. Avoid 'unsafe-inline' — use nonces or hashes. 'strict-dynamic' is the modern approach.

style-src

Which stylesheets can be applied. 'unsafe-inline' allows inline <style> blocks.

img-src

Which images can be loaded. 'data:' is needed for base64 images; 'https:' allows any HTTPS image.

connect-src

fetch(), XHR, WebSocket and EventSource connections. Restrict to your own API domains.

font-src

Web font sources. If using Google Fonts add https://fonts.gstatic.com.

frame-src

Which domains can be loaded in <iframe>. Use 'none' unless you embed third-party content.

media-src

Audio and video sources.

object-src

Flash, plugins, <object> and <embed>. Always set to 'none' — no modern site needs plugins.

form-action

Which URLs forms can submit to. Prevents form hijacking by injected forms.

base-uri

Restricts URLs in <base> elements. Set to 'self' or 'none' to prevent base-tag injection.

frame-ancestors

Which pages can embed this page in an iframe. Supersedes X-Frame-Options. Use 'none' to block all embedding.

upgrade-insecure-requests

Automatically upgrades HTTP resource requests to HTTPS. Useful for legacy content with mixed URLs.

block-all-mixed-content

Blocks HTTP resources on HTTPS pages (stricter than upgrade-insecure-requests which upgrades them).

report-uri

Endpoint to receive JSON violation reports when the policy is violated. Use with report-only during testing.

Source value cheatsheet

Value Meaning Risk
'self' Same origin as the document low Safe — use as baseline
'none' Block all sources (for object-src, frame-ancestors) low Safe — most restrictive
https://cdn.com Specific HTTPS origin low Safe — allowlist approach
https: Any HTTPS URL medium Moderate — broad but encrypted
'unsafe-inline' Inline scripts/styles allowed high Avoid — main XSS vector
'unsafe-eval' eval() and Function() allowed high Avoid — arbitrary code execution
'strict-dynamic' Trust scripts loaded by trusted scripts (nonce) low Recommended modern approach
'nonce-{base64}' Allow specific inline script with matching nonce low Recommended for inline scripts
data: data: URIs (e.g. base64 images) medium OK for img-src, risky for script-src
* Any origin (wildcard) critical Never use in script-src

Frequently asked questions

What is a Content Security Policy?

CSP is an HTTP response header that tells browsers which sources of scripts, styles, images and other resources are allowed to load. A properly configured CSP is the most effective defence against XSS attacks — even if an attacker injects a malicious script tag, the browser refuses to execute it.

What is report-only mode?

Content-Security-Policy-Report-Only applies the same rules as CSP but never blocks anything — it only sends violation reports to your report-uri endpoint. Use it to test a new policy on a live site without breaking anything, then switch to the enforcing header once clean.

Is 'unsafe-inline' a problem?

'unsafe-inline' in script-src allows inline <script> blocks and inline event handlers — the main XSS attack vectors. Use nonces (script-src 'nonce-{random}') or hashes instead. 'strict-dynamic' combined with nonces is the modern recommended approach.

Can I set CSP with a meta tag?

Yes, but with limitations. <meta http-equiv='Content-Security-Policy'> works for most directives but does not support frame-ancestors, report-uri or sandbox. Setting CSP as an HTTP header is always preferred.

Related tools

More security header tools.

Security Headers Checker

Audit your site's security headers and get an A–F grade.

CORS Tester

Test CORS preflight and actual request headers for any URL.

SSL Certificate Checker

Check certificate expiry, issuer and SANs for any domain.

Build your CSP header now

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →