Content Security Policy Generator
Build a Content-Security-Policy header directive-by-directive with quick-start presets.
default-src
Fallback for all fetch directives
script-src
JavaScript sources
style-src
Stylesheet sources
img-src
Image sources
font-src
Font sources
connect-src
Fetch / XHR / WebSocket
media-src
Audio and video sources
object-src
<object>, <embed> sources
frame-src
<iframe> sources
frame-ancestors
Who may embed this page
form-action
Form submission targets
base-uri
Restricts <base> href values
upgrade-insecure-requests
Upgrade HTTP sub-resources to HTTPS (no value needed)
block-all-mixed-content
Block any HTTP sub-resources (no value needed)
report-uri
URL to send violation reports (deprecated; prefer report-to)
Content-Security-Policy: default-src 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests<meta http-equiv="Content-Security-Policy" content="default-src 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests">How Content Security Policy works
Content Security Policy (CSP) is an HTTP response header that instructs browsers to only load resources from trusted origins. A strict policy using default-src 'self' with nonces for inline scripts significantly reduces the impact of cross-site scripting (XSS) attacks. Start with Content-Security-Policy-Report-Only to monitor violations before enforcing the policy.
For other security headers see the HTTP Security Header Generator. For cookie security, use the HTTP Cookie Builder.
Private & free — this tool runs entirely in your browser.