CSP Generator
Build a Content Security Policy visually and get warnings about unsafe directives.
default-src
Default policy for all resources
script-src
Sources for JavaScript
style-src
Sources for CSS
img-src
Sources for images
font-src
Sources for fonts
connect-src
Sources for fetch, XHR, WebSocket
media-src
Sources for audio/video
object-src
Sources for plugins (Flash, etc.)
frame-src
Sources for iframes
frame-ancestors
Who can embed this page
base-uri
Base URL for relative URLs
form-action
Form submission targets
Features
- Visual builder for Content Security Policy (CSP) headers
- Configure all CSP directives: default-src, script-src, style-src, img-src, connect-src, and more
- Nonce and hash-based script allowlisting
- Report-Only mode for policy testing without enforcement
- CSP violation report endpoint configuration
- Preset policies: strict, moderate, permissive
- Generated header and meta tag output
Common Use Cases
- Protect web applications from Cross-Site Scripting (XSS) attacks
- Lock down which domains can serve scripts, styles, and media
- Migrate from inline scripts to nonce-based CSP
- Test a CSP policy in report-only mode before enforcing it
- Generate CSP headers for a specific framework (Next.js, Express, etc.)
Content Security Policy (CSP)
Content Security Policy is a security standard that tells browsers which content sources are legitimate for your web application. It is one of the most powerful defenses against Cross-Site Scripting (XSS) attacks β even if an attacker injects a script, CSP prevents the browser from executing it if the source is not whitelisted.
CSP is delivered as an HTTP header or a <meta> tag. A strict policy blocks all inline scripts, eval, and external resources by default (default-src 'none') and then explicitly allows only trusted sources. The Content-Security-Policy-Report-Only header lets you test a policy without enforcement, collecting violation reports instead.
Modern best practice uses nonces (random per-request tokens) or hashes to allow specific inline scripts without 'unsafe-inline'.
Examples
default-src 'none'; script-src 'nonce-{random}'; style-src 'self'; img-src 'self' data:; frame-ancestors 'none'default-src *; script-src * 'unsafe-inline' 'unsafe-eval'Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-reportFrequently Asked Questions
'unsafe-inline' allows all inline scripts and styles, which defeats the primary XSS protection CSP provides. If an attacker can inject inline JavaScript (via XSS), 'unsafe-inline' lets it execute. Use nonces ('nonce-abc123') or hashes ('sha256-abc...') to allow specific inline scripts without this broad permission.
A nonce (number used once) is a cryptographically random token generated per-request. Add it to the CSP header (script-src 'nonce-{token}') and to each legitimate <script nonce="{token}"> tag. Injected scripts without the nonce won't execute. The nonce must be random and unique per page load β never reuse it.
Use Content-Security-Policy-Report-Only instead of Content-Security-Policy. The browser enforces nothing but sends violation reports to your report-uri. Review the reports for a few days to understand what your existing code needs, then refine the policy before switching to enforcement mode.
A strict CSP significantly raises the bar for XSS attacks but does not eliminate them entirely. DOM-based XSS that operates within allowed sources, JSONP endpoints, and browser extension vulnerabilities can bypass CSP. CSP is one layer in a defense-in-depth strategy, not a single solution.
π‘ Tips
- Start with <code>Content-Security-Policy-Report-Only</code> in production for at least a week before switching to enforcement mode.
- Never use <code>'unsafe-eval'</code> β it enables eval(), new Function(), and setTimeout/setInterval with string arguments, all common XSS vectors.
- Use <code>frame-ancestors 'none'</code> instead of X-Frame-Options for clickjacking protection β CSP's frame-ancestors is more flexible and modern.
- Set <code>upgrade-insecure-requests</code> to automatically upgrade HTTP subrequests to HTTPS without breaking existing HTTP references.