Content Security Policy Builder
Compose a CSP header by picking sources per directive, with copy-ready HTTP header and meta-tag output.
CSP value
default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests
HTTP header
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests
Meta tag
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests" />
About CSP
A Content Security Policy is a header (or meta tag) that tells the browser exactly which sources of script, style, image, etc. are allowed for the current page — a strong defence against XSS and data exfiltration.
Avoid 'unsafe-inline' and 'unsafe-eval' when you can; prefer nonces or hashes. Once your policy is built, ship it as the Content-Security-Policy-Report-Only header first to catch violations without breaking the page.
You might also like
- User-Agent ParserDecode any User-Agent into browser, OS, device, engine, and CPU fields.
- Cache-Control Header BuilderBuild HTTP Cache-Control headers with presets for static assets, APIs, and private responses.
- Apache / Nginx Log ParserParse Combined Log Format lines into structured rows with status mix, top paths, and per-row filtering.
- Aspect Ratio CalculatorLock in an aspect ratio and compute missing width or height — for video, images, or layouts.