CSP Builder

Content Security Policy Generator

Build a Content Security Policy header for your website. Choose a preset, customize directives, and get warnings about unsafe configurations. Always test with Report-Only mode first.

Recommended approach: Start with the Report-Only preset to monitor violations without breaking your site. After reviewing violation reports for 1-2 weeks, switch to enforcement mode.

CSP Preset

Edit Directives

default-src

script-src

style-src

img-src

font-src

connect-src

frame-src

frame-ancestors

object-src

base-uri

form-action

upgrade-insecure-requestsUse Report-Only mode

Generated Header

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-src 'none'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;

CSP Warnings

• 'unsafe-inline' in script-src negates most XSS protection. Consider using nonces or hashes instead.

• Always test with Content-Security-Policy-Report-Only before switching to enforcement mode.

Validate your CSP against a real site

Run the scanner to check if your deployed CSP is configured correctly.

Scan a Website