Build Content Security Policy headers interactively. Configure directives for script, style, image, and other resource sources.
default-srcFallback for other directivesscript-srcValid sources for JavaScriptstyle-srcValid sources for stylesheetsimg-srcValid sources for imagesfont-srcValid sources for fontsconnect-srcValid targets for fetch, XHR, WebSocketmedia-srcValid sources for audio and videoobject-srcValid sources for pluginsframe-srcValid sources for framesbase-uriRestricts URLs for <base>form-actionValid targets for form submissionsframe-ancestorsValid parents for embeddingdefault-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'">Select allowed sources for each directive.
CSP header string is generated.
Copy the header for your server config.
Use the CSP Header Generator when hardening your web application's security posture, particularly after a security audit or penetration test. It is essential for compliance with security standards like OWASP Top 10 and PCI DSS. Frontend developers use it when deploying new applications to production, and security engineers use it to create and refine policies that prevent XSS without breaking legitimate functionality.
Content Security Policy (CSP) is an HTTP response header that restricts which resources a browser can load for a given page. It is one of the most effective defenses against Cross-Site Scripting (XSS) and data injection attacks. By specifying trusted sources for scripts, styles, images, and other resources, CSP prevents unauthorized code execution even if an attacker finds an injection point.
CSP supports numerous directives including script-src (JavaScript sources), style-src (CSS sources), img-src (image sources), font-src (font files), connect-src (AJAX/WebSocket endpoints), frame-src (iframe sources), media-src (audio/video), and default-src (fallback for all resource types). Each directive can specify domains, 'self', 'unsafe-inline', nonces, and hashes.
Yes, deploying Content-Security-Policy-Report-Only first is strongly recommended. This mode logs policy violations without blocking any resources, allowing you to identify legitimate resources that need whitelisting. Once your policy produces no unexpected violations, switch to the enforcing Content-Security-Policy header to actively block unauthorized resources.