Security & Network

CSP Header Generator

Build Content-Security-Policy headers visually with presets and per-directive controls

Report-Only

default-src

Fallback for all fetch directives

script-src

Valid sources for JavaScript

style-src

Valid sources for stylesheets

img-src

Valid sources for images

font-src

Valid sources for fonts

connect-src

Valid targets for fetch/XHR/WebSocket

media-src

Valid sources for audio/video

frame-src

Valid sources for iframes

object-src

Valid sources for plugins (Flash, etc.)

base-uri

Valid URLs for <base> element

form-action

Valid targets for form submissions

frame-ancestors

Who can embed this page (clickjacking protection)

upgrade-insecure-requests

Auto-upgrade HTTP to HTTPS

Generated Header

Content-Security-Policy: default-src 'self'

What is CSP Header Generator?

A Content-Security-Policy (CSP) header tells browsers which resources are allowed to load on your page. It prevents XSS attacks, data injection and clickjacking by restricting scripts, styles, images, fonts and other resources to trusted sources. This tool lets you build CSP headers visually instead of writing the complex syntax by hand.

How to Use CSP Header Generator

1
Start with a preset
Choose Strict, Moderate or Permissive as a starting point based on your security needs.
2
Configure directives
Toggle source values for each directive. Add custom domains where needed.
3
Test with Report-Only
Enable Report-Only mode to test your policy without breaking your site.
4
Copy and deploy
Copy the generated header and add it to your server configuration.

Features

13 CSP directives with visual toggles
3 security presets (Strict, Moderate, Permissive)
Custom domain allowlisting per directive
Report-Only mode for safe testing
Apache, Nginx and meta tag output
Real-time header preview

Related Tools

Password Generator

Generate strong, random passwords with customizable length, symbols, numbers and uppercase letters.

Open tool

Password Strength Checker

Analyze password strength with entropy calculation, pattern detection and crack time estimation.

Open tool

HTTP Header Checker

View any URL's HTTP response headers including security headers, caching and server info.

Open tool

SSL Certificate Checker

Check SSL certificate expiry, issuer, chain and protocol for any domain. Verify HTTPS security.

Open tool

DNS Lookup

Query A, AAAA, MX, TXT, NS and CNAME records for any domain. View DNS configuration instantly.

Open tool

WHOIS Lookup

Look up domain registration details including registrar, creation date, expiry and nameservers.

Open tool

See all Security & Network tools

Frequently Asked Questions

What does Content-Security-Policy do?+

CSP tells browsers which sources are allowed to load scripts, styles, images and other resources. It is the most effective defense against XSS (cross-site scripting) attacks.

Should I start with Strict or Moderate?+

Start with Report-Only mode and a Moderate policy to see what would break. Once you have fixed all violations, switch to enforcement and tighten to Strict if possible.

What is unsafe-inline?+

unsafe-inline allows inline <script> and <style> tags. It weakens CSP significantly but is needed for many frameworks. Consider using nonces or hashes instead.

What is frame-ancestors?+

frame-ancestors controls who can embed your page in an iframe. Setting it to 'none' prevents clickjacking attacks. It replaces the older X-Frame-Options header.

Security & Network tools/All tools

Security & Network

CSP Header Generator

Build Content-Security-Policy headers visually with presets and per-directive controls

Report-Only

default-src

Fallback for all fetch directives

script-src

Valid sources for JavaScript

style-src

Valid sources for stylesheets

img-src

Valid sources for images

font-src

Valid sources for fonts

connect-src

Valid targets for fetch/XHR/WebSocket

media-src

Valid sources for audio/video

frame-src

Valid sources for iframes

object-src

Valid sources for plugins (Flash, etc.)

base-uri

Valid URLs for <base> element

form-action

Valid targets for form submissions

frame-ancestors

Who can embed this page (clickjacking protection)

upgrade-insecure-requests

Auto-upgrade HTTP to HTTPS

Generated Header

Content-Security-Policy: default-src 'self'

What is CSP Header Generator?

How to Use CSP Header Generator

Start with a preset

Choose Strict, Moderate or Permissive as a starting point based on your security needs.

Configure directives

Toggle source values for each directive. Add custom domains where needed.

Test with Report-Only

Enable Report-Only mode to test your policy without breaking your site.

Copy and deploy

Copy the generated header and add it to your server configuration.

Frequently Asked Questions

What does Content-Security-Policy do?+

CSP tells browsers which sources are allowed to load scripts, styles, images and other resources. It is the most effective defense against XSS (cross-site scripting) attacks.

Should I start with Strict or Moderate?+

Start with Report-Only mode and a Moderate policy to see what would break. Once you have fixed all violations, switch to enforcement and tighten to Strict if possible.

What is unsafe-inline?+

unsafe-inline allows inline <script> and <style> tags. It weakens CSP significantly but is needed for many frameworks. Consider using nonces or hashes instead.

What is frame-ancestors?+

frame-ancestors controls who can embed your page in an iframe. Setting it to 'none' prevents clickjacking attacks. It replaces the older X-Frame-Options header.