Home/Tools/CSP Generator

CSP Generator

Generate Content Security Policy headers to protect your website from XSS attacks and code injection

Security Header Builder

Craft a hardened Content Security Policy and complementary response headers.

Launch Security Headers Analyzer

Quick Start Templates

🔒

Strict Policy

Maximum security for modern web applications

⚖️

Moderate Policy

Balance between security and compatibility

⚠️ Less secure than strict policy due to 'unsafe-inline'

📦

Legacy Compatible

Maximum compatibility for older websites

⚠️ Less secure - migrate to stricter policy over time

📊

Report-Only Mode

Monitor violations without blocking

Build Your Policy

📥 Fetch Directives (Resource Loading)

Fallback for all fetch directives

'self'

JavaScript sources

CSS sources

Image sources

Font sources

AJAX, WebSocket, EventSource

Audio & video sources

Plugins: <object>, <embed>, <applet>

Iframe sources

Web workers & nested contexts

Web app manifest

Web workers

📄 Document Directives

Restrict <base> tag URLs

Enable sandbox restrictions

🧭 Navigation Directives

Form submission targets

Embedding in iframes

Navigation targets

⚠️ Limited browser support

📊 Reporting Directives

Violation report endpoint

Reporting API group

⚙️ Other Directives

Automatically upgrades HTTP to HTTPS

Block HTTP on HTTPS

Trusted Types API

Trusted Types policy names

Validation & Security Grade

1

Passes

5

Warnings

0

Errors

F

Security Grade

Valid CSP syntax

⚠️ object-src not configured

Set object-src to 'none' to disable plugins

⚠️ base-uri not configured

Set base-uri to 'self' to prevent base tag injection

⚠️ form-action not configured

Set form-action to 'self' to prevent form hijacking

⚠️ frame-ancestors not configured

Set frame-ancestors to prevent clickjacking

⚠️ No reporting configured

Add report-uri or report-to to monitor violations

Browser Compatibility

Chrome 90+

✓ Full support

Firefox 89+

✓ Full support

Safari 14+

No report-to support

⚠ Partial

Edge 90+

✓ Full support

IE 11 11

CSP 1.0 only, no Level 2/3 features

⚠ Partial

Generated Policy

Content-Security-Policy: default-src 'self';
Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), notifications=(), payment=()
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-origin
X-Permitted-Cross-Domain-Policies: none

Need Professional IT Services?

Our IT professionals can help optimize your infrastructure and improve your operations.

Get Free ConsultationView Services

References & Citations

  1. World Wide Web Consortium (W3C). (2024). Content Security Policy Level 3. Retrieved from https://www.w3.org/TR/CSP3/ (accessed January 2025)
  2. Mozilla Developer Network. (2024). Content Security Policy (CSP). Retrieved from https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP (accessed January 2025)
  3. Google. (2024). CSP Evaluator. Retrieved from https://csp-evaluator.withgoogle.com/ (accessed January 2025)

Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.

Frequently Asked Questions

Common questions about the CSP Generator

Content Security Policy (CSP) is HTTP response header that controls resources browsers can load. Prevents XSS, clickjacking, code injection by whitelisting trusted sources. Example: Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com. Directives: script-src (JavaScript), style-src (CSS), img-src (images), connect-src (AJAX/WebSocket). Modern browsers support CSP Level 3. Essential defense layer for web security.

Read More
0