Generate output instantly with CSP Header Generator. Customizable options and one-click copy.
100% free, no signup required. Works entirely in your browser.
Open CSP Header GeneratorSelect allowed sources for each directive.
CSP header string is generated.
Copy the header for your server config.
Content Security Policy (CSP) is an HTTP response header that restricts which resources a browser can load for a given page. It is one of the most effective defenses against Cross-Site Scripting (XSS) and data injection attacks. By specifying trusted sources for scripts, styles, images, and other resources, CSP prevents unauthorized code execution even if an attacker finds an injection point.
CSP supports numerous directives including script-src (JavaScript sources), style-src (CSS sources), img-src (image sources), font-src (font files), connect-src (AJAX/WebSocket endpoints), frame-src (iframe sources), media-src (audio/video), and default-src (fallback for all resource types). Each directive can specify domains, 'self', 'unsafe-inline', nonces, and hashes.
Yes, deploying Content-Security-Policy-Report-Only first is strongly recommended. This mode logs policy violations without blocking any resources, allowing you to identify legitimate resources that need whitelisting. Once your policy produces no unexpected violations, switch to the enforcing Content-Security-Policy header to actively block unauthorized resources.
