Content Security Policy Generator

Generate secure Content-Security-Policy headers for your web application.

Presets

Source Directives

default-src Fallback for other directives

script-src

style-src

img-src

font-src

connect-src

frame-src

frame-ancestors

form-action

base-uri

Options

upgrade-insecure-requests

block-all-mixed-content

Report-Only Mode

report-uri

Generated CSP

HTML Meta Tag

HTTP Header

Nginx Configuration

ASP.NET Core Middleware

What Is Content Security Policy (CSP)?

Content Security Policy (CSP) is a security standard that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks. It works by allowing website owners to declare which sources of content (scripts, styles, images, fonts, etc.) the browser should trust. Any content loaded from unauthorized sources is blocked by the browser.

CSP is implemented as an HTTP response header (Content-Security-Policy) and is supported by all modern browsers. It acts as a defense-in-depth layer — even if an attacker finds an XSS vulnerability, a strict CSP can prevent the injected script from executing.

How Does CSP Work?

A CSP header contains one or more directives, each controlling a specific resource type:

default-src: Fallback policy for all resource types not explicitly configured.
script-src: Controls where JavaScript can be loaded from.
style-src: Controls where CSS stylesheets can be loaded from.
img-src: Controls where images can be loaded from.
font-src: Controls where web fonts can be loaded from.
connect-src: Controls which URLs can be accessed via fetch, XHR, or WebSocket.
frame-src: Controls which origins can be embedded in iframes.

CSP Source Values

Value	Meaning
`'self'`	Same origin only (same protocol, host, and port)
`'none'`	Block all sources for this directive
`'unsafe-inline'`	Allow inline scripts/styles (weakens CSP significantly)
`'unsafe-eval'`	Allow `eval()` and similar dynamic code execution
`https:`	Allow any HTTPS source
`data:`	Allow `data:` URIs (e.g., inline images)
Specific domain	Allow a specific origin (e.g., `https://cdn.example.com`)

Common Use Cases

XSS Prevention: Block unauthorized scripts from executing, even if injected into your HTML.
Third-Party Script Control: Whitelist only trusted CDNs and analytics services.
Compliance: Many security standards (PCI-DSS, SOC 2) recommend or require CSP headers.
Clickjacking Prevention: Use frame-ancestors to control who can embed your site.

How to Use This Tool

Select the content sources you want to allow for each directive.
Configure script-src, style-src, img-src, and other CSP directives.
Add custom domains or use predefined values like 'self'.
Copy the generated Content-Security-Policy header for your server.

Why Use This Tool?

Protect your site against XSS and data injection attacks.
Generate correct CSP headers without memorizing the syntax.
Test different policy configurations before deploying.
Essential for modern web application security.

Frequently Asked Questions

Will CSP break my website?

A strict CSP can block legitimate resources if not configured carefully. Start with Content-Security-Policy-Report-Only to test your policy without enforcing it, then switch to Content-Security-Policy once validated.

Should I avoid `'unsafe-inline'`?

Yes, whenever possible. Inline scripts and styles are the primary attack vector for XSS. Use nonce-based ('nonce-xyz') or hash-based CSP to allow specific inline scripts instead.