Content-Security-Policy Builder
Build a Content-Security-Policy header without memorizing the syntax. Add sources per directive, quick-add common keywords like 'self' and 'none', toggle report-only mode, a report-uri and upgrade-insecure-requests, then copy the finished header, meta tag or nginx line. Everything runs in your browser.
How to build a CSP header
- Add the directives you need, such as default-src and script-src, and fill in each source.
- Quick-add keywords like 'self', 'none' or 'unsafe-inline', or type a host or nonce by hand.
- Toggle report-only, a report-uri or upgrade-insecure-requests, then copy the header, meta tag or nginx line.
Examples
A strict starter policy
default-src 'self', script-src 'self' https://cdn.example.com, object-src 'none'
default-src 'self'; script-src 'self' https://cdn.example.com; object-src 'none'
Report-only with a report endpoint
default-src 'self', reportOnly: true, reportUri: /csp-report
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report
Frequently asked questions
Is my policy sent to a server?
No. The header, meta tag and nginx line are all generated in your browser from the directives you enter. Nothing you type is uploaded, logged or stored, so it is safe to build a policy for a production site.
What is a Content-Security-Policy and what does it do?
A Content-Security-Policy (CSP) is an HTTP response header that tells the browser which sources of script, style, images and other resources are allowed to load. Its main job is to reduce the impact of cross-site scripting (XSS) by blocking scripts and content from origins you did not approve.
What is the difference between a source, a keyword and a host?
A directive such as script-src takes a list of sources. A keyword source is a quoted token like 'self', 'none', 'unsafe-inline', 'unsafe-eval', a 'nonce-...' or a 'sha256-...' hash, and must keep its single quotes. A host source is a plain origin such as https://cdn.example.com. This builder keeps both exactly as you enter them.
What does report-only mode do?
Report-only mode emits the Content-Security-Policy-Report-Only header instead of the enforcing one. The browser checks every request against your policy and reports violations, usually to a report-uri, but does not block anything. It is the safe way to test a new policy before you enforce it.
What is upgrade-insecure-requests?
upgrade-insecure-requests is a valueless directive that tells the browser to automatically request the https version of any http resource on the page. It helps a site move to HTTPS without hunting down every hard-coded http URL. This builder emits it as a bare directive with no source list.
Should I deliver CSP as a header or a meta tag?
An HTTP response header is the recommended way and supports every directive. A <meta http-equiv> tag is a fallback for static hosts where you cannot set headers, but it cannot use directives like frame-ancestors or report-uri. This tool gives you both plus an nginx add_header line so you can pick whichever fits your setup.
Related tools
Nginx Config Generator
Build an Nginx server block for static sites, reverse proxies or PHP. Toggle SSL, gzip and body size, then copy or download nginx.conf.
HTTP Status Codes
Searchable list of HTTP status codes from 1xx to 5xx. Look up any code by number or name and see what 200, 301, 404 and 500 mean.
Htaccess Generator
Build an Apache .htaccess file with toggles for HTTPS, www, redirects, blocked IPs, error pages, caching and compression. Copy or download it.
.env to JSON
Convert a .env file to JSON, or JSON back to .env. Parses KEY=value lines, comments, quotes and export. Runs entirely in your browser.
Aspect Ratio Calculator
Calculate aspect ratios fast. Enter a ratio like 16:9 and one dimension to get the other, or enter width and height to simplify the ratio.
Base58 Encoder
Encode and decode Base58 online with the Bitcoin alphabet. Convert text to Base58 or back, UTF-8 safe, no confusing 0 O I l. Runs in your browser.