Security Header Builder
Craft a hardened Content Security Policy and complementary response headers.
Quick Start Templates
Strict Policy
Maximum security for modern web applications
Moderate Policy
Balance between security and compatibility
⚠️ Less secure than strict policy due to 'unsafe-inline'
Legacy Compatible
Maximum compatibility for older websites
⚠️ Less secure - migrate to stricter policy over time
Report-Only Mode
Monitor violations without blocking
Build Your Policy
📥 Fetch Directives (Resource Loading)
Fallback for all fetch directives
JavaScript sources
CSS sources
Image sources
Font sources
AJAX, WebSocket, EventSource
Audio & video sources
Plugins: <object>, <embed>, <applet>
Iframe sources
Web workers & nested contexts
Web app manifest
Web workers
📄 Document Directives
Restrict <base> tag URLs
Enable sandbox restrictions
🧭 Navigation Directives
Form submission targets
Embedding in iframes
Navigation targets
⚠️ Limited browser support
📊 Reporting Directives
Violation report endpoint
Reporting API group
⚙️ Other Directives
Automatically upgrades HTTP to HTTPS
Block HTTP on HTTPS
Trusted Types API
Trusted Types policy names
Validation & Security Grade
1
Passes
5
Warnings
0
Errors
F
Security Grade
✓ Valid CSP syntax
⚠️ object-src not configured
→ Set object-src to 'none' to disable plugins
⚠️ base-uri not configured
→ Set base-uri to 'self' to prevent base tag injection
⚠️ form-action not configured
→ Set form-action to 'self' to prevent form hijacking
⚠️ frame-ancestors not configured
→ Set frame-ancestors to prevent clickjacking
⚠️ No reporting configured
→ Add report-uri or report-to to monitor violations
Browser Compatibility
Chrome 90+
Firefox 89+
Safari 14+
No report-to support
Edge 90+
IE 11 11
CSP 1.0 only, no Level 2/3 features
Generated Policy
Content-Security-Policy: default-src 'self'; Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), notifications=(), payment=() Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-origin X-Permitted-Cross-Domain-Policies: none
Need Help Implementing Web Security?
Our security team can audit your web application, implement CSP and other security headers, and protect against XSS and injection attacks.
Understanding CSP Directives
Content Security Policy uses directives to control which resources can be loaded and executed.
Common Directives
- • default-src: Fallback for all resource types
- • script-src: JavaScript sources
- • style-src: CSS stylesheets
- • img-src: Image sources
- • connect-src: AJAX, WebSocket, fetch
- • font-src: Web fonts
- • frame-src: Iframe sources
Common Source Values
- • 'self': Same origin only
- • 'none': Block all sources
- • 'unsafe-inline': Allow inline code (avoid)
- • 'unsafe-eval': Allow eval() (avoid)
- • https: Any HTTPS source
- • domain.com: Specific domain
Frequently Asked Questions
Common questions about the CSP Generator
Content Security Policy (CSP) is a browser security feature that helps prevent Cross-Site Scripting (XSS), clickjacking, and other code injection attacks. It works by defining which sources of content the browser should consider valid for loading scripts, styles, images, and other resources.
Explore More Tools
Continue with these related tools
Password Strength Checker
Test your password strength and get recommendations for improvement
Password Generator
Generate secure random passwords with customizable options
CVE Vulnerability Search & Timeline
Search CVEs, visualize vendor trends, analyze response times, and calculate CVSS scores
CWE Lookup Tool
Look up Common Weakness Enumeration entries from MITRE with detailed mitigations and Top 25 list
SystemLens
Desktop app for filesystem analysis and security auditing with SSH scanning (macOS, Windows, Linux)
Hash Generator
Generate cryptographic hashes (MD5, SHA-256, SHA-512) for files and text. Check malware with VirusTotal integration.
⚠️ Security Notice
This tool is provided for educational and authorized security testing purposes only. Always ensure you have proper authorization before testing any systems or networks you do not own. Unauthorized access or security testing may be illegal in your jurisdiction. All processing happens client-side in your browser - no data is sent to our servers.