EncryptCodecencryptcodec
Tools/Csp Generator

CSP Header Generator

Build a Content-Security-Policy header by toggling directives and values. The generated policy string updates in real-time as you configure each directive.

All processing happens in your browser — nothing is sent to our servers
Enable directives above to generate your CSP header

What is Content-Security-Policy?

Content-Security-Policy (CSP) is an HTTP response header that controls which resources a browser is allowed to load for a page. It mitigates cross-site scripting (XSS) and data-injection attacks by whitelisting trusted content sources. Start with a restrictive default-src 'self' and open individual directives only as needed. Use upgrade-insecure-requests to automatically rewrite HTTP URLs to HTTPS.

How it works
Content-Security-Policy Header
01Directives

CSP is a set of directives — each controls which sources are allowed for a specific resource type (scripts, styles, images, etc.)

02Source lists

Each directive lists allowed sources: 'self' (same origin), 'none' (block all), specific domains, 'unsafe-inline', 'unsafe-eval', https:, data:

03default-src

Fallback for any directive not explicitly set — start with 'self' and open specific directives as needed

04Enforcement

Browser blocks any resource that violates the policy — violations can be reported to a report-uri endpoint

05Header output

All directives joined into a single Content-Security-Policy HTTP response header value

Spec: W3C CSP Level 3, MDN Content-Security-Policy

Start restrictive (default-src 'none') and allow only what your app needs. Avoid 'unsafe-inline' and 'unsafe-eval' — they defeat most of CSP's XSS protection.

Frequently Asked Questions