CSP Policy Builder

Build Content Security Policy headers interactively. Toggle directives to see your policy update in real-time.

CSP Policy Builder
Quick Presets
Core Directives
default-src Strict Block all resources by default (deny-by-default approach) 'none'
script-src Strict Allow scripts from same origin with nonce 'self' 'nonce-{RANDOM}'
style-src Allow styles from same origin + inline styles 'self' 'unsafe-inline'
Security Hardening
object-src Strict Block plugins (Flash, Java) — Required for strict CSP 'none'
base-uri Strict Prevent base tag injection — Required for strict CSP 'none'
frame-ancestors No Meta Prevent clickjacking (replaces X-Frame-Options) 'none'
form-action Restrict form submissions to same origin 'self'
frame-src Control sources for frames and iframes 'self'
sandbox No Meta Apply sandbox restrictions (like iframe sandbox) allow-scripts allow-same-origin
Resource Control
img-src Allow images from same origin + data URIs 'self' data:
font-src Allow fonts from same origin 'self'
connect-src Restrict XHR/Fetch/WebSocket connections 'self'
media-src Allow audio/video from same origin 'self'
worker-src Allow Web Workers from same origin 'self'
child-src Control workers and nested browsing contexts 'self'
manifest-src Control web app manifest sources 'self'
Advanced Options
strict-dynamic Trust scripts loaded by trusted scripts (add to script-src)
upgrade-insecure-requests Auto-upgrade HTTP to HTTPS
block-all-mixed-content Deprecated Block all HTTP resources on HTTPS pages
require-trusted-types-for Require Trusted Types for DOM XSS sinks 'script'
report-to No Meta Modern reporting endpoint (use with Reporting-Endpoints header) csp-endpoint
report-uri Deprecated No Meta Violation report endpoint (deprecated, use report-to) /csp-reports
Generated Policy
Content-Security-Policy: ...
Security Level: ...
Enable script-src with nonce, object-src 'none', and base-uri 'none' for Google's recommended Strict CSP.

About This Tool

Content Security Policy (CSP) is a critical security layer that helps detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. This interactive builder helps you construct complex CSP headers by selecting directives and adding trusted sources.

Features

  • 20+ directives organized by category (Fetch, Navigation, Document, etc.)

  • Quick presets for common services like Google Fonts, Analytics, YouTube, and CDNs

  • Custom domains — add your own trusted URLs to any directive

  • 7 export formats — ready-to-use config for Nginx, Apache, Cloudflare, Vercel, and more

  • Report-Only mode — test your policy without blocking resources

  • Security assessment — real-time warnings for insecure configurations like ‘unsafe-inline’

How to Use

  1. Enable the directives you need for your website
  2. Use quick presets to add common third-party services

  3. Add custom domains by clicking the + button on editable directives

  4. Select your server format (Nginx, Apache, Cloudflare, etc.)

  5. Enable Report-Only mode to test before enforcing

  6. Copy and add to your server configuration

Privacy

Your security configurations are private. All policy building and formatting happens entirely in your browser. No domains, URLs, or policy settings are sent to any server.

Linux Command Reference

Once you’ve configured your CSP, you can verify it using terminal tools.

Check CSP Header with curl

curl -I https://jmrp.io | grep -i “content-security-policy”
content-security-policy: default-src ‘self’; script-src ‘self’ …

Calculate Hash for Inline Script

echo -n ‘alert(“Hello”);’ | openssl dgst -sha256 -binary | openssl base64
qznLcsROU4CHAtWia…

Learn More

For a complete guide on implementing CSP, see

Implementing Content Security Policy in Nginx

.