CSP Header Generator

Developer

Generate Content-Security-Policy HTTP headers to protect your website against XSS, clickjacking, and other code injection attacks.

Quick Presets

Directives

default-src

Fallback for other directives

script-src

Valid sources for JavaScript

style-src

Valid sources for stylesheets

img-src

Valid sources for images

font-src

Valid sources for fonts

connect-src

URLs for fetch, XMLHttpRequest, WebSocket

media-src

Valid sources for audio/video

object-src

Valid sources for plugins (Flash, etc.)

frame-src

Valid sources for iframes

frame-ancestors

Who can embed this page in an iframe

base-uri

Restricts URLs for the base element

form-action

Restricts form submission targets

worker-src

Valid sources for web workers

manifest-src

Valid sources for manifest files

Additional Options

Generated CSP Header

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests

Server Configuration

add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests" always;
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests"
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests">

About Content-Security-Policy

CSP is a security layer that helps detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.

  • XSS Prevention - Block inline scripts and unauthorized script sources
  • Clickjacking Protection - Control iframe embedding with frame-ancestors
  • Data Exfiltration - Restrict where forms can submit and connect to
  • Mixed Content - Force HTTPS for all resources

Testing Tip

Start with Content-Security-Policy-Report-Only to test your policy without blocking resources. Monitor reports before enforcing.

What is This Tool?

A Content Security Policy generator builds CSP headers that control which resources (scripts, styles, images, fonts) browsers are allowed to load on your pages. CSP is the most powerful defense against XSS attacks, data injection, and unauthorized resource loading.

CSP uses directives to whitelist resource sources: script-src for JavaScript, style-src for CSS, img-src for images, connect-src for APIs, etc. The default-src fallback covers any unconfigured directive. Violation reports can be sent to a reporting endpoint for monitoring.

Common Use Cases

XSS Prevention

Block inline scripts and restrict JavaScript sources to prevent cross-site scripting attacks.

Third-Party Control

Explicitly whitelist allowed third-party resources (analytics, CDNs, payment widgets) and block everything else.

Security Audit Compliance

Implement CSP to meet security audit requirements, penetration test recommendations, and compliance standards.

Violation Monitoring

Configure report-uri or report-to endpoints to collect CSP violation reports and identify policy issues.

Frequently Asked Questions

How do I start with CSP?

Begin with Content-Security-Policy-Report-Only to log violations without blocking resources. Review reports, add necessary sources, then switch to enforcement.

What does unsafe-inline mean?

Allows inline scripts/styles. This defeats much of CSP's XSS protection. Prefer nonces (nonce-abc123) or hashes for individual inline elements.

Can CSP break my site?

Yes. A strict CSP may block legitimate resources. Always test in report-only mode first and add necessary source directives before enforcing.