CSP Header Generator
Build Content Security Policy headers visually with presets, directives, and source customization.
- Home
- > Hash & Security >
- CSP Header Generator
Fallback for all directives
Allowed script sources
Allowed stylesheet sources
Allowed image sources
Allowed font sources
Allowed API/WebSocket origins
Allowed frame/iframe sources
Allowed audio/video sources
Allowed <object>/<embed>/<applet>
Allowed Worker/ServiceWorker
Allowed manifest sources
Allowed <base> tag URIs
Allowed form submission targets
Allowed parent frames (clickjacking)
Block mixed HTTP content on HTTPS pages
Automatically upgrade HTTP to HTTPS
Content-Security-Policy Header
What is CSP?
Content Security Policy (CSP) is an HTTP header that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by controlling which resources the browser is allowed to load for a given page.
CSP works by defining a set of directives that specify allowed sources for different resource types. When a page violates the policy, the browser either blocks the resource (enforce mode) or sends a report (report-only mode).
Frequently Asked Questions
What CSP preset should I use?
Strict: Maximum security. Blocks all inline scripts/styles, requires nonces or hashes. Best for applications with full CSP support.
Moderate: Balanced security. Allows 'unsafe-inline' styles but blocks inline scripts. Good for most websites.
Permissive: Minimal security. Widest compatibility with existing sites. Use as a starting point to tighten gradually.
What is the difference between 'self' and 'none'?
'self' allows resources from the same origin (same protocol, host, and port). 'none' blocks all sources for that directive. Use 'none' for directives like object-src to completely disable plugin content.
Is this tool generating a policy or validating one?
This tool generates CSP headers based on your selections. For testing and validation of existing policies, use the Security Headers Checker tool or browser developer tools.
