AES Encryption Explained: How It Works and Why It Matters
Jun 23, 2026
Build Content Security Policy headers visually with presets, directives, and source customization.
Fallback for all directives
Allowed script sources
Allowed stylesheet sources
Allowed image sources
Allowed font sources
Allowed API/WebSocket origins
Allowed frame/iframe sources
Allowed audio/video sources
Allowed <object>/<embed>/<applet>
Allowed Worker/ServiceWorker
Allowed manifest sources
Allowed <base> tag URIs
Allowed form submission targets
Allowed parent frames (clickjacking)
Block mixed HTTP content on HTTPS pages
Automatically upgrade HTTP to HTTPS
Content Security Policy (CSP) is an HTTP header that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by controlling which resources the browser is allowed to load for a given page.
CSP works by defining a set of directives that specify allowed sources for different resource types. When a page violates the policy, the browser either blocks the resource (enforce mode) or sends a report (report-only mode).
Strict: Maximum security. Blocks all inline scripts/styles, requires nonces or hashes. Best for applications with full CSP support.
Moderate: Balanced security. Allows 'unsafe-inline' styles but blocks inline scripts. Good for most websites.
Permissive: Minimal security. Widest compatibility with existing sites. Use as a starting point to tighten gradually.
'self' allows resources from the same origin (same protocol, host, and port). 'none' blocks all sources for that directive. Use 'none' for directives like object-src to completely disable plugin content.
This tool generates CSP headers based on your selections. For testing and validation of existing policies, use the Security Headers Checker tool or browser developer tools.
Blog
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026