CSP Header Generator

Generate Content-Security-Policy headers with a visual editor. Pick directives, use presets, and copy the result.

default-srcFallback for all resource types

script-srcJavaScript sources

style-srcCSS sources

img-srcImage sources

font-srcFont sources

connect-srcFetch, XHR, WebSocket

frame-srcIframe sources

object-srcPlugin sources (Flash, etc.)

media-srcAudio/video sources

form-actionForm submission targets

frame-ancestorsWho can embed this page

base-uriRestricts <base> tag URLs

Generated Policy

HTTP Header

Content-Security-Policy: default-src 'self'

HTML Meta Tag

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

How to Use CSP Header Generator

1Start with a preset (strict, moderate, or permissive) or build from scratch.
2Configure individual directives like script-src, style-src, and img-src.
3Add allowed sources (self, specific domains, inline, eval) for each directive.
4Preview the generated CSP header string.
5Copy the result as an HTTP header or HTML meta tag.

ZenovayAnalytics

Analytics without the cookie banner.

Real-time visitor tracking
Privacy-first, no cookie banner
Set up in two minutes

Explore Zenovay

Related Tools

Password Generator

Generate strong, random passwords with customizable length, characters, and complexity.

Password Strength Checker

Check how strong your password is. Get an estimated crack time and improvement suggestions.

HMAC Generator

Generate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.

AES Encryption/Decryption

Encrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.

Frequently Asked Questions

What is Content-Security-Policy (CSP)?▾

CSP is an HTTP header that controls which resources a browser can load for a page. It helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks.

What does each directive do?▾

default-src is the fallback for all resource types. script-src controls JavaScript, style-src controls CSS, img-src controls images, connect-src controls fetch/XHR, font-src controls fonts, frame-src controls iframes, and form-action controls form submissions.

Should I use a CSP meta tag or HTTP header?▾

An HTTP header is preferred as it covers all content types. A meta tag works for basic policies but has limitations: it can't use frame-ancestors or report-uri directives.

What are common CSP values?▾

'self' allows same-origin only. 'none' blocks all. 'unsafe-inline' allows inline scripts/styles (not recommended). Specific domains like https://cdn.example.com whitelist that origin.

Is my CSP configuration processed locally?▾

Yes, the CSP header is built entirely in your browser. No configuration data is sent to any server.

Can I copy the generated CSP header?▾

Yes. The generated header string can be copied with one click for pasting into your web server configuration, .htaccess file, or application middleware.

How do I test my CSP policy?▾

After deploying the CSP header, open your browser's developer tools and check the console for CSP violation reports. You can also use report-uri or report-to directives to collect violations in production.