Skip to content
BEAD

Content Security Policy Builder

Compose a CSP header by picking sources per directive, with copy-ready HTTP header and meta-tag output.

CSP value
default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests
HTTP header
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests
Meta tag
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests" />
</>Use this tool programmaticallycurl · JavaScript · MCP

Same tool, callable from any HTTP client or from Claude (via MCP). Anonymous: 100 req/day per IP. Sign up for 1,000 req/day.

curl
curl https://api.b-e-a-d.com/tools/csp-builder/run \
  -H "Content-Type: application/json" \
  -d '{
  "directives": {},
  "upgradeInsecureRequests": false,
  "blockAllMixedContent": false
}'
JavaScript (fetch)
const res = await fetch("https://api.b-e-a-d.com/tools/csp-builder/run", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
  "directives": {},
  "upgradeInsecureRequests": false,
  "blockAllMixedContent": false
}),
});
const data = await res.json();
console.log(data.result);
MCP (Claude Desktop / Claude Code)
# In Claude Desktop / Claude Code, add to your MCP config:
{
  "mcpServers": {
    "bead": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://mcp.b-e-a-d.com"]
    }
  }
}

# Then ask Claude to call:
mcp__bead__bead_csp_builder

Full reference: developer docs · OpenAPI spec

About CSP

A Content Security Policy is a header (or meta tag) that tells the browser exactly which sources of script, style, image, etc. are allowed for the current page — a strong defence against XSS and data exfiltration.

Avoid 'unsafe-inline' and 'unsafe-eval' when you can; prefer nonces or hashes. Once your policy is built, ship it as the Content-Security-Policy-Report-Only header first to catch violations without breaking the page.

You might also like