Content Security Policy Builder
Compose a CSP header by picking sources per directive, with copy-ready HTTP header and meta-tag output.
CSP value
default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests
HTTP header
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests
Meta tag
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests" />
</>Use this tool programmaticallycurl · JavaScript · MCP
Same tool, callable from any HTTP client or from Claude (via MCP). Anonymous: 100 req/day per IP. Sign up for 1,000 req/day.
curl
curl https://api.b-e-a-d.com/tools/csp-builder/run \
-H "Content-Type: application/json" \
-d '{
"directives": {},
"upgradeInsecureRequests": false,
"blockAllMixedContent": false
}'JavaScript (fetch)
const res = await fetch("https://api.b-e-a-d.com/tools/csp-builder/run", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
"directives": {},
"upgradeInsecureRequests": false,
"blockAllMixedContent": false
}),
});
const data = await res.json();
console.log(data.result);MCP (Claude Desktop / Claude Code)
# In Claude Desktop / Claude Code, add to your MCP config:
{
"mcpServers": {
"bead": {
"command": "npx",
"args": ["-y", "mcp-remote", "https://mcp.b-e-a-d.com"]
}
}
}
# Then ask Claude to call:
mcp__bead__bead_csp_builderFull reference: developer docs · OpenAPI spec
About CSP
A Content Security Policy is a header (or meta tag) that tells the browser exactly which sources of script, style, image, etc. are allowed for the current page — a strong defence against XSS and data exfiltration.
Avoid 'unsafe-inline' and 'unsafe-eval' when you can; prefer nonces or hashes. Once your policy is built, ship it as the Content-Security-Policy-Report-Only header first to catch violations without breaking the page.
You might also like
- User-Agent ParserDecode any User-Agent into browser, OS, device, engine, and CPU fields.
- Cache-Control Header BuilderBuild HTTP Cache-Control headers with presets for static assets, APIs, and private responses.
- Apache / Nginx Log ParserParse Combined Log Format lines into structured rows with status mix, top paths, and per-row filtering.
- Aspect Ratio CalculatorLock in an aspect ratio and compute missing width or height — for video, images, or layouts.