Free CSP generator

Build a Content-Security-Policy header directive by directive, then paste an existing one to see what it is missing. Both the builder and the checker run on your device in plain JavaScript. Your policy names your CDNs and API hosts, and none of it is sent to a server.

Start from

Strict locks everything down with default-src 'none' and a nonce, then allows each content type back on. It is the policy you want to end up with.

default-src

Fallback for every fetch directive you do not set explicitly.

script-src

Where JavaScript may be loaded from, and whether inline script runs.

style-src

Where stylesheets may be loaded from, and whether inline style is allowed.

img-src

Where images may be loaded from. Add data: for inline SVG and base64 images.

connect-src

Endpoints that fetch, XHR, WebSocket, and EventSource may talk to.

font-src

Where web fonts may be loaded from.

frame-src

Which origins your page may embed in an iframe.

frame-ancestors

Who may embed your page. This is the modern replacement for X-Frame-Options.

form-action

Where a form on your page is allowed to submit.

base-uri

Restricts the <base> tag, which an injected element can otherwise use to hijack relative URLs.

object-src

Plugins such as Flash and Java. Almost every site should set this to none.

block-all-mixed-content is deprecated and upgrade-insecure-requests replaces it. Keep it only if you still support browsers that ignore the upgrade.

generated in your browser

This value is a placeholder to show the shape of the header. Your server must generate a fresh nonce for every response and put the same value on the matching script tags.

Header value
default-src 'none'; script-src 'self' 'nonce-GENERATED_PER_RESPONSE' 'strict-dynamic'; style-src 'self'; img-src 'self' data:; connect-src 'self'; font-src 'self'; frame-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'none'; object-src 'none'; upgrade-insecure-requests
HTTP response header
Content-Security-Policy: default-src 'none'; script-src 'self' 'nonce-GENERATED_PER_RESPONSE' 'strict-dynamic'; style-src 'self'; img-src 'self' data:; connect-src 'self'; font-src 'self'; frame-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'none'; object-src 'none'; upgrade-insecure-requests
HTML meta tag
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'nonce-GENERATED_PER_RESPONSE' 'strict-dynamic'; style-src 'self'; img-src 'self' data:; connect-src 'self'; font-src 'self'; frame-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'none'; object-src 'none'; upgrade-insecure-requests">
The meta tag ignores frame-ancestors. Send those as a real HTTP header.
Nginx
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'nonce-GENERATED_PER_RESPONSE' 'strict-dynamic'; style-src 'self'; img-src 'self' data:; connect-src 'self'; font-src 'self'; frame-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'none'; object-src 'none'; upgrade-insecure-requests" always;
Apache
Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'nonce-GENERATED_PER_RESPONSE' 'strict-dynamic'; style-src 'self'; img-src 'self' data:; connect-src 'self'; font-src 'self'; frame-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'none'; object-src 'none'; upgrade-insecure-requests"

Copied to clipboard

How the CSP generator works

1

Set your sources

Start from the strict preset, then allow back the hosts your site really loads script, style, images, and API calls from.

2

Take the snippet

The header is assembled as you toggle, with copy-ready forms for the HTTP header, the meta tag, Nginx, and Apache. Deploy it report-only first.

3

Check what you have

Paste a live policy into the Check tab and every weak source and missing directive comes back ranked by severity with the fix.

Private by design: nothing leaves your browser

A Content Security Policy is a map of your infrastructure. It names your CDN, your API hosts, your payment provider, and every analytics vendor you have ever bolted on. That is a useful document for an attacker and it should not be uploaded to a stranger's server to be linted:

01

100% client-side

Building the header and parsing a pasted one are plain string operations in JavaScript. The nonce comes from crypto.getRandomValues, your browser's own secure generator. No network request carries your policy.

02

Nothing stored or logged

There is no account and no analytics on what you paste. Reload the page and the policy is gone from memory.

03

Your site is never fetched

The checker reads only the text you paste. It never requests your domain, so nothing about the check appears in your access logs or your WAF.

What a good policy does

  1. script-src is where the security lives. A nonce or a hash on your inline scripts is what actually stops injected script from running.
  2. object-src 'none' and base-uri 'none' close two attack paths that cost you nothing, because almost no site uses either feature.
  3. frame-ancestors is what stops clickjacking, and it does not inherit from default-src, so leaving it out leaves you open.
  4. Report-only mode lets you watch what a policy would break for a week or two before it breaks anything.

Built for developers and security-conscious teams

Anyone shipping a header that decides which code the browser will run on their site. BlockSurvey takes the same position on research data with zero-knowledge surveys, where responses are encrypted before they ever reach a server.

Frontend developers

Work out which directive is blocking your bundle, and get a policy that survives a script loader without falling back to 'unsafe-inline'.

Security & IT teams

Grade the CSP on a site you are reviewing, and hand the owner a finding list with a concrete fix rather than a score.

Teams heading into an audit

A CSP shows up in SOC 2 and pentest reports. Build one, ship it report-only, and close the finding before the assessor opens it.

Building something that handles sensitive data?

BlockSurvey runs on zero-knowledge surveys, so the responses you collect are never sold or mined. Responses are encrypted on the respondent's device, so the server stores nothing readable.

More free privacy tools

Browse all privacy tools

These tools run in your browser because that is how we build everything. The same idea, applied to research: privacy-first surveys with end-to-end encryption.

Frequently asked questions

Is this CSP generator free?

Yes, free and with no sign-up. Both the builder and the header checker run in the page you are looking at, so there is no quota to hit.

Does the policy I paste get sent to a server?

No. The builder assembles the header string and the checker parses it with plain JavaScript in your browser. No request carries the policy, and a CSP often maps out your CDNs, API hosts, and analytics vendors, which is exactly the kind of infrastructure detail you should not hand to a random website.

What is a Content Security Policy?

It is an HTTP response header that tells the browser which sources of script, style, image, and other content it may load for your page. A correct CSP is the strongest defence against cross-site scripting, because even if an attacker injects a script tag, the browser refuses to execute it when the source is not on your allow list.

Which directives do I actually need?

Start with these five and add more only when something breaks. default-src sets the fallback for anything you do not name. script-src controls JavaScript and is where most of the security lives. object-src 'none' kills the plugin attack surface. base-uri 'none' stops an injected base tag from rewriting your relative URLs. frame-ancestors controls who may put your page in an iframe, which is what stops clickjacking.

Is 'unsafe-inline' ever acceptable in script-src?

In script-src it defeats most of the point of having a CSP, because injected inline script is the usual payload of a cross-site scripting attack. Use a nonce or a hash for the inline scripts you genuinely need. In style-src it is a much smaller risk and plenty of production sites keep it, though a nonce is still better if your framework can emit one.

Should I use the HTTP header or the meta tag?

Use the HTTP header wherever you control the server, because the meta tag ignores frame-ancestors, report-uri, report-to, and sandbox. The meta tag is a reasonable fallback for a static host where you cannot set headers, and this tool gives you both forms of the same policy.

How do I roll out a CSP without breaking my site?

Ship it in report-only mode first. Turn on the report-only toggle here, add a report-uri, and deploy. The browser will send you a violation report for everything the policy would have blocked without actually blocking it. Watch the reports for a week or two, widen the policy where the violations are legitimate, then switch the header to the enforcing name.

What is a nonce, and why does strict-dynamic need one?

A nonce is a random value your server generates per response and puts on both the CSP header and the script tags it trusts. The browser runs only the scripts carrying that nonce. strict-dynamic then says that any script loaded by an already-trusted script is trusted too, which lets a nonce survive script loaders and bundlers without listing every CDN. Generate the nonce fresh on every response. Reusing one across responses makes it worthless.

Can I use this offline?

Yes. Once the page has loaded you can disconnect and keep building or checking policies, because none of it needs the network.

Do you store the policy or header I paste in?

No. The directives you build or the header you paste to check are parsed entirely in your browser and never sent to a server. There is nothing to store because there is no backend call in the first place.

How is this different from a paid CSP tool?

Most paid header scanners run the check server-side, which means your header (and sometimes your source) leaves your machine to get an answer. This one builds and validates the policy client-side, with no sign-up and no per-scan limit.
Scripts are blocked. This site won’t work properly. If you’re using Brave, click the Shields icon and turn off Block scripts. Otherwise disable your ad blocker for this site.