CSP Generator

What Is a Content Security Policy?

A Content Security Policy (CSP) is an HTTP response header that tells browsers which resources are allowed to load on a page. It is one of the most effective defenses against cross-site scripting (XSS) and data injection attacks. You define allowed sources for scripts, styles, images, fonts, and more — the browser blocks anything that does not match.

How to Use

Enable or disable directives using the checkboxes.
Click a quick-value button or type a custom source to add it to a directive.
Remove individual values with the × button.
Copy the generated HTTP header or meta tag output.

Features

Visual builder for all standard CSP directives.
Quick-insert buttons for common values like 'self', 'none', data:.
Generates both HTTP header and HTML meta tag formats.
Boolean directives (upgrade-insecure-requests) handled automatically.
All processing is client-side — nothing is sent to any server.

FAQ

Header vs meta tag — which should I use?

The HTTP response header is preferred and more powerful — it works for all resource types including navigations. The meta tag is a fallback for cases where you cannot control server headers, but it does not support frame-ancestors or report-uri.

What does `'self'` mean?

'self' refers to the same origin (scheme + host + port) as the page. Resources served from your own domain are allowed; external domains are not.

Is `'unsafe-inline'` safe to use?

No — it allows inline scripts and styles, which defeats much of the XSS protection CSP provides. Prefer nonces or hashes for inline content, or move scripts to external files served from 'self'.