← back to flaviocopes.com

CSP generator

← All tools

Compose a Content-Security-Policy header directive by directive, or start from a preset. Copy the header or meta tag — and see what each rule blocks.

~~~

Presets

~~~

Source values

Click a chip under a directive to append that source. You can also type hosts by hand (e.g. cdn.example.com) or fill “Optional CDN hosts” above — those get appended with each chip click.

~~~

Directives

~~~

Output

Meta tag

~~~

About this tool

Content-Security-Policy limits where scripts, styles, images, and connections may load from. It is one of the best defenses against XSS — if you avoid weakening it with unsafe-inline everywhere.

Start strict, use report-only to collect violations, then tighten. Nonces and hashes beat inline allowances for scripts you control.

~~~

Read more