CSP Policy Builder

Build Content Security Policy headers interactively. Toggle directives to see your policy update in real-time.

Quick Presets
Core Directives
default-src Strict Block all resources by default (deny-by-default approach) 'none'
script-src Strict Allow scripts from same origin with nonce 'self' 'nonce-{RANDOM}'
style-src Allow styles from same origin + inline styles 'self' 'unsafe-inline'
Security Hardening
object-src Strict Block plugins (Flash, Java) — Required for strict CSP 'none'
base-uri Strict Prevent base tag injection — Required for strict CSP 'none'
frame-ancestors No Meta Prevent clickjacking (replaces X-Frame-Options) 'none'
form-action Restrict form submissions to same origin 'self'
frame-src Control sources for frames and iframes 'self'
sandbox No Meta Apply sandbox restrictions (like iframe sandbox) allow-scripts allow-same-origin
Resource Control
img-src Allow images from same origin + data URIs 'self' data:
font-src Allow fonts from same origin 'self'
connect-src Restrict XHR/Fetch/WebSocket connections 'self'
media-src Allow audio/video from same origin 'self'
worker-src Allow Web Workers from same origin 'self'
child-src Control workers and nested browsing contexts 'self'
manifest-src Control web app manifest sources 'self'
Advanced Options
strict-dynamic Trust scripts loaded by trusted scripts (add to script-src)
upgrade-insecure-requests Auto-upgrade HTTP to HTTPS
block-all-mixed-content Deprecated Block all HTTP resources on HTTPS pages
require-trusted-types-for Require Trusted Types for DOM XSS sinks 'script'
report-to No Meta Modern reporting endpoint (use with Reporting-Endpoints header) csp-endpoint
report-uri Deprecated No Meta Violation report endpoint (deprecated, use report-to) /csp-reports
Generated Policy
Content-Security-Policy: ...
Security Level: ...
Enable script-src with nonce, object-src 'none', and base-uri 'none' for Google's recommended Strict CSP.

About This Tool

Content Security Policy (CSP) is a security standard that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks. This builder helps you create a policy by selecting the directives you need.

Features

  • 20+ directives organized by category

  • Quick presets for Google Fonts, Analytics, YouTube, and CDNs

  • Custom domains — add your own URLs to any directive

  • 7 export formats — HTTP header, Nginx, Apache, Cloudflare, Netlify, Vercel, and meta tag

  • Report-Only mode — test your policy before enforcing

  • Security warnings — get recommendations for a stronger policy

How to Use

  1. Enable the directives you need for your website
  2. Use quick presets to add common third-party services

  3. Add custom domains by clicking the + button on editable directives

  4. Select your server format (Nginx, Apache, Cloudflare, etc.)
  5. Enable Report-Only mode to test before enforcing
  6. Copy and add to your server configuration

Learn More

For a complete guide on implementing CSP, see Implementing Content Security Policy in Nginx.