CSP Generator

Build Content Security Policy headers visually. Toggle directives, select sources, and copy the complete header string. 100% client-side.

Directive Selection

default-src

Fallback for other directives

'self'

script-src

JavaScript sources

style-src

CSS stylesheet sources

img-src

Image sources

font-src

Font file sources

connect-src

Fetch, XHR, WebSocket

media-src

Audio and video

object-src

Plugins (Flash, etc.)

frame-src

Iframe sources

worker-src

Web Workers

manifest-src

Web manifest

base-uri

Restrict base element

form-action

Form submission targets

frame-ancestors

Who can embed this page

upgrade-insecure-requests

Upgrade HTTP to HTTPS

block-all-mixed-content

Block mixed HTTP/HTTPS

CSP Header Result

default-src 'self'

HTML Meta Tag

<meta http-equiv="Content-Security-Policy" content="default-src 'self'" />

Secure Headers

Content Security Policy (CSP) helps prevent Cross-Site Scripting (XSS), clickjacking, and other code injection attacks by restricting sources of executable content.

Flexible Directives

Easily configure scripts, styles, images, and frames. Add custom domains, use nonces, or enforce strict policies with a simple visual interface.