Generate CSP header – Free Content Security Policy Generator

Learn more

Need a CSP header? Build Content Security Policy rules to prevent XSS attacks. Generate CSP headers for Nginx, Apache, or meta tags.

CSP Generator

Need a CSP header? Build Content Security Policy rules

Content Security Policy

CSP helps prevent XSS attacks by controlling which resources can be loaded. Start with a restrictive policy and relax as needed.

Options

Configure CSP behavior

Report Only Mode

Use Content-Security-Policy-Report-Only header (for testing)

Report URI(optional)

Allowed Sources

'self'

Allowed Sources

'self'

Allowed Sources

'self'

'unsafe-inline'

Allowed Sources

'self'

data:

https:

Allowed Sources

'self'

data:

https:

Allowed Sources

'self'

Allowed Sources

'none'

Best Practices

Start with default-src 'self' and add exceptions as needed
Avoid 'unsafe-inline' and 'unsafe-eval' when possible
Use nonce or hash for inline scripts/styles
Test in Report Only mode before enforcing
Set object-src 'none' to prevent plugin attacks

Content Security Policy

CSP helps prevent XSS attacks by controlling which resources can be loaded. Start with a restrictive policy and relax as needed.

Options

Configure CSP behavior

Report Only Mode

Use Content-Security-Policy-Report-Only header (for testing)

Report URI(optional)

Allowed Sources

'self'

Allowed Sources

'self'

Allowed Sources

'self'

'unsafe-inline'

Allowed Sources

'self'

data:

https:

Allowed Sources

'self'

data:

https:

Allowed Sources

'self'

Allowed Sources

'none'

Best Practices

Start with default-src 'self' and add exceptions as needed
Avoid 'unsafe-inline' and 'unsafe-eval' when possible
Use nonce or hash for inline scripts/styles
Test in Report Only mode before enforcing
Set object-src 'none' to prevent plugin attacks

No output generated yet. Use the tool to generate content.

What is CSP Generator?

A CSP generator creates Content Security Policy headers that specify which sources are allowed to load resources like scripts, styles, images, fonts, and connections. CSP works by whitelisting trusted sources and blocking unauthorized resources. For example, 'script-src 'self'' allows scripts only from the same origin, preventing malicious inline scripts or scripts from untrusted domains. CSP can be delivered via HTTP headers (recommended) or meta tags, and supports report-only mode for testing before enforcement.

Features

Configure all CSP directives (default-src, script-src, style-src, etc.)
Add allowed sources per directive
Generate headers for Nginx, Apache, or meta tags
Test in report-only mode before enforcing
Configure report-uri for violation reporting
Use common values like 'self', 'unsafe-inline', or custom domains

How to use

Enable the directives you want to configure
Add allowed sources for each directive (e.g., 'self', domains, data:)
Configure report-only mode and report URI if needed
Generate CSP header in your preferred format
Add to your server configuration or HTML meta tag
Test in report-only mode, then enforce

Common use cases

Preventing XSS attacks by blocking unauthorized scripts
Controlling which domains can load resources
Preventing data exfiltration via connect-src
Blocking inline scripts/styles (use nonces/hashes instead)
Complying with security standards and audits

Frequently Asked Questions

What's the difference between CSP header and meta tag?

HTTP headers are recommended because they apply to all responses and can't be bypassed. Meta tags are a fallback when you can't set HTTP headers, but they're less secure and only apply to the HTML document.

Should I use report-only mode?

Yes, always test in report-only mode first. It reports violations without blocking, helping you identify what needs to be allowed before enforcing the policy.

How do I allow inline scripts with CSP?

Avoid 'unsafe-inline' if possible. Instead, use nonces (random tokens) or hashes. Generate a nonce per request, add it to script tags, and include it in your CSP: 'script-src 'nonce-{value}''.

What does 'self' mean in CSP?

'self' means the same origin (same protocol, domain, and port). It's a common value that allows resources from your own domain.