CSP Generator

CSP Generator

Build a Content Security Policy visually and get warnings about unsafe directives.

Presets:

default-src

Default policy for all resources

script-src

Sources for JavaScript

style-src

Sources for CSS

img-src

Sources for images

font-src

Sources for fonts

connect-src

Sources for fetch, XHR, WebSocket

media-src

Sources for audio/video

object-src

Sources for plugins (Flash, etc.)

frame-src

Sources for iframes

frame-ancestors

Who can embed this page

base-uri

Base URL for relative URLs

form-action

Form submission targets

Features

  • Visual builder for Content Security Policy (CSP) headers
  • Configure all CSP directives: default-src, script-src, style-src, img-src, connect-src, and more
  • Nonce and hash-based script allowlisting
  • Report-Only mode for policy testing without enforcement
  • CSP violation report endpoint configuration
  • Preset policies: strict, moderate, permissive
  • Generated header and meta tag output

Common Use Cases

  • Protect web applications from Cross-Site Scripting (XSS) attacks
  • Lock down which domains can serve scripts, styles, and media
  • Migrate from inline scripts to nonce-based CSP
  • Test a CSP policy in report-only mode before enforcing it
  • Generate CSP headers for a specific framework (Next.js, Express, etc.)

Content Security Policy (CSP)

Content Security Policy is a security standard that tells browsers which content sources are legitimate for your web application. It is one of the most powerful defenses against Cross-Site Scripting (XSS) attacks β€” even if an attacker injects a script, CSP prevents the browser from executing it if the source is not whitelisted.

CSP is delivered as an HTTP header or a <meta> tag. A strict policy blocks all inline scripts, eval, and external resources by default (default-src 'none') and then explicitly allows only trusted sources. The Content-Security-Policy-Report-Only header lets you test a policy without enforcement, collecting violation reports instead.

Modern best practice uses nonces (random per-request tokens) or hashes to allow specific inline scripts without 'unsafe-inline'.

Examples

Valid - Strict CSP
default-src 'none'; script-src 'nonce-{random}'; style-src 'self'; img-src 'self' data:; frame-ancestors 'none'
Invalid - Permissive (avoid in prod)
default-src *; script-src * 'unsafe-inline' 'unsafe-eval'
Valid - Report-Only mode
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report

Frequently Asked Questions

What is 'unsafe-inline' and why should I avoid it?

'unsafe-inline' allows all inline scripts and styles, which defeats the primary XSS protection CSP provides. If an attacker can inject inline JavaScript (via XSS), 'unsafe-inline' lets it execute. Use nonces ('nonce-abc123') or hashes ('sha256-abc...') to allow specific inline scripts without this broad permission.

What is a CSP nonce?

A nonce (number used once) is a cryptographically random token generated per-request. Add it to the CSP header (script-src 'nonce-{token}') and to each legitimate <script nonce="{token}"> tag. Injected scripts without the nonce won't execute. The nonce must be random and unique per page load β€” never reuse it.

How do I test my CSP without breaking my site?

Use Content-Security-Policy-Report-Only instead of Content-Security-Policy. The browser enforces nothing but sends violation reports to your report-uri. Review the reports for a few days to understand what your existing code needs, then refine the policy before switching to enforcement mode.

Does CSP prevent all XSS attacks?

A strict CSP significantly raises the bar for XSS attacks but does not eliminate them entirely. DOM-based XSS that operates within allowed sources, JSONP endpoints, and browser extension vulnerabilities can bypass CSP. CSP is one layer in a defense-in-depth strategy, not a single solution.

πŸ’‘ Tips

  • Start with <code>Content-Security-Policy-Report-Only</code> in production for at least a week before switching to enforcement mode.
  • Never use <code>'unsafe-eval'</code> β€” it enables eval(), new Function(), and setTimeout/setInterval with string arguments, all common XSS vectors.
  • Use <code>frame-ancestors 'none'</code> instead of X-Frame-Options for clickjacking protection β€” CSP's frame-ancestors is more flexible and modern.
  • Set <code>upgrade-insecure-requests</code> to automatically upgrade HTTP subrequests to HTTPS without breaking existing HTTP references.