Build Content Security Policy headers interactively. Configure directives for script, style, image, and other resource sources.
default-srcFallback for other directivesscript-srcValid sources for JavaScriptstyle-srcValid sources for stylesheetsimg-srcValid sources for imagesfont-srcValid sources for fontsconnect-srcValid targets for fetch, XHR, WebSocketmedia-srcValid sources for audio and videoobject-srcValid sources for pluginsframe-srcValid sources for framesbase-uriRestricts URLs for <base>form-actionValid targets for form submissionsframe-ancestorsValid parents for embeddingdefault-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'">Select allowed sources for each directive.
CSP header string is generated.
Copy the header for your server config.
Content Security Policy is an HTTP header that helps prevent XSS and data injection attacks.
script-src, style-src, img-src, font-src, connect-src, frame-src, and more.
Yes, Content-Security-Policy-Report-Only lets you test before enforcing.