CSP Header Generator

Generate Content-Security-Policy headers with presets (strict, moderate, permissive) or custom directives.

Directives

default-src

script-src

style-src

img-src

font-src

connect-src

frame-src

object-src

base-uri

form-action

frame-ancestors

upgrade-insecure-requestsblock-all-mixed-content

HTTP Header

Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; frame-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content

Meta Tag

<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; frame-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content">

Common source values:

'none' - blocks everything
'self' - same origin only
'unsafe-inline' - allows inline scripts/styles
'unsafe-eval' - allows eval()
https: - any HTTPS origin
data: - data: URIs
blob: - blob: URIs
*.example.com - wildcard subdomain

Was this page helpful?

CSP Header Generator

Related tools