Skip to content

CSP Header Generator

Build Content-Security-Policy headers visually with presets for strict, moderate, and permissive policies. Configure script-src, style-src, img-src and more.

FreeNo SignupNo Server UploadsZero Tracking
Quick Presets:1/8 directives active

Content-Security-Policy

Content-Security-Policy: default-src 'self'
Export

How to Use CSP Header Generator

  1. 1

    Choose a preset

    Start with a Strict, Moderate, or Permissive preset to get a solid baseline for your CSP policy.

  2. 2

    Customize directives

    Enable/disable individual directives and toggle common sources like 'self', 'unsafe-inline', or specific domains.

  3. 3

    Add custom domains

    Type custom domains or CDN URLs and press Enter or click Add to include them in a directive.

  4. 4

    Copy and deploy

    Copy the generated CSP header value and add it to your server configuration, HTML meta tag, or CDN headers.

Frequently Asked Questions

Content-Security-Policy (CSP) is an HTTP response header that controls which resources the browser is allowed to load for a page. It helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks.

'self' refers to the origin of the document itself. Using script-src 'self' means only scripts from your own domain can execute.

'unsafe-inline' allows inline scripts and styles, which weakens CSP protection against XSS. Use it only if your application requires inline code and you cannot refactor to external files or use nonces.

Start with Strict for maximum security, then relax only what you need. Moderate is a good balance for most sites. Permissive is for sites that rely heavily on third-party scripts and CDNs.

No. All CSP generation happens entirely in your browser. Your data never leaves your machine.