CSP Header Builder

Build Content Security Policy headers interactively. Select directives, choose presets or add custom sources, and generate the full CSP header ready to copy into your server config.

Content-Security-Policy:

HTML <meta> tag:

Apache (.htaccess):

Nginx:

About Content Security Policy

Content Security Policy (CSP) is an HTTP response header that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks. It works by specifying which content sources the browser should trust.

Key Directives

default-src — Fallback for all fetch directives not explicitly set
script-src — Controls which scripts can execute
style-src — Controls which stylesheets can load
img-src — Controls which images can load
connect-src — Controls fetch, XHR, WebSocket destinations
font-src — Controls which fonts can load
frame-src — Controls which URLs can be embedded in iframes

Source Keywords

'self' — Same origin only
'none' — Block everything
'unsafe-inline' — Allow inline scripts/styles (weakens CSP)
'unsafe-eval' — Allow eval() and similar (weakens CSP)
https: — Any HTTPS source
data: — Allow data: URIs

Related Tools

Meta Tag Generator — generate HTML meta tags
SSL Checker — check SSL certificate details
Hash Generator — generate SRI hashes for CSP
HTTP Status Codes — HTTP response code reference
DNS Lookup — check DNS records