CSP generator

Generate a strict starter Content-Security-Policy header and adjust common source rules. Nothing leaves your browser.

Runs in your browser -- no data sent

Policy builder

Allow external HTTPS imagesAllow Google analytics endpointsAllow embedded frames

Optional API origin

Generated header

default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests

Review before production - CSP is application-specific. Start strict, then add only the sources your site really needs.

Guide

CSP Generator: what it does and how to use it

What this Security tool does

This CSP generator creates a starter Content-Security-Policy header. CSP helps reduce XSS risk by controlling which scripts, styles, images, frames, fonts, and network endpoints a browser may load.

How it works

Choose common allowances such as external HTTPS images, analytics endpoints, frames, and API origins. The tool assembles a strict baseline policy that you can test and refine in your own application.

Examples

Create a default-src self policy.
Add an API origin to connect-src.
Prepare a starter CSP for a Next.js site.

Security considerations

CSP is application-specific. Test in report-only mode first and avoid adding broad sources unless the site genuinely needs them.

FAQ

Can CSP replace escaping?

No. CSP is defense-in-depth and should complement secure coding practices.

Why is unsafe-inline risky?

It can make script injection easier unless paired with nonces or hashes.

Is the generated policy production-ready?

It is a strong starting point, but every production site needs testing.