CSP header generator
Build a Content-Security-Policy header from per-directive fields, ready to deploy.
Related tools
CSP header generator
A Content-Security-Policy header is the strongest single defense against XSS a website can deploy — and one of the easiest headers to get subtly wrong. Fill in the directives you need, leave the rest blank, and the policy assembles itself: default-src as the baseline, with script-src, style-src, img-src, connect-src, font-src and frame-ancestors overriding it where you say so. Empty fields are omitted entirely, which is correct CSP: an absent directive falls back to default-src instead of accidentally allowing everything.
The generator fixes the classic mistake for you: CSP keywords must be quoted, and an unquoted self does not mean "this origin" — it means a host literally named self. Type self, none or unsafe-inline bare and they come out properly quoted; hosts and schemes like https://cdn.example.com or data: stay as they are.
The output format matches where the policy will live: a raw header line for reading and pasting, an HTML meta tag for static sites without server access, or the exact add_header and Header set lines for nginx and Apache configs. The upgrade-insecure-requests toggle appends the directive that transparently rewrites stray http:// subresources to https.
Start strict — default-src 'self' alone — deploy, open the browser console, and add sources as real violations appear; that loop produces tighter policies than guessing upfront. Everything runs locally in your browser: your architecture, CDN choices and API endpoints never leave your device.