Content Security Policy (CSP) Generator - XSS Shield

Generate highly secure Content Security Policy headers interactively. Configure script-src, style-src, frame-ancestors, and upgrade-insecure-requests with instant output formats.

default-src

Defines the default policy for fetching resources.

script-src

Directs valid sources for JavaScript scripts.

style-src

Directs valid sources for stylesheets.

img-src

Directs sources for images and favicons.

font-src

Directs sources for web fonts loaded via @font-face.

connect-src

Directs sources for fetch/XHR, WebSockets, and EventSource.

frame-src

Directs sources for iframe and nested browsing contexts.

media-src

Directs sources for audio and video media.

object-src

Directs sources for plugins like <object>, <embed>, or <applet>.

worker-src

Directs sources for Worker, SharedWorker, or ServiceWorker.

form-action

Directs valid URLs that can be used as form submission targets.

frame-ancestors

Directs valid parent pages that can embed this page in an iframe.

base-uri

Restricts URLs that can appear in a document's <base> element.

upgrade-insecure-requests

Instructs browsers to upgrade HTTP requests to HTTPS automatically.

report-uri

Optional URI to report CSP violations.

Policy Preview
default-src
'self'
script-src
'self' 'unsafe-inline'
style-src
'self' 'unsafe-inline'
img-src
'self' data:
connect-src
'self'
frame-src
'self'
object-src
'self'
worker-src
'self'
form-action
'self'
frame-ancestors
'self'
base-uri
'self'
upgrade-insecure-requests
report-uri
https://your-report-endpoint.com/csp
Output Code
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-src 'self'; object-src 'self'; worker-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests; report-uri https://your-report-endpoint.com/csp">
Secure Sandbox Output: 100% client-side. All CSP generation happens in your browser. No details are transmitted to any servers.

Content Security Policy Generator: Mitigate Web Vulnerabilities with Content Security Policy

Modern web applications pull scripts, stylesheets, fonts, and assets from dozens of different content delivery networks (CDNs) and APIs. Without strict controls, an attacker who successfully injects a malicious script can execute keyloggers, steal active cookies, hijack session tokens, and leak proprietary records.

Implementing a Content Security Policy (CSP) is the ultimate defense-in-depth practice for protecting modern web spaces. Our **CSP Policy Generator** provides an interactive playground to quickly construct, preview, and export secure headers.

Formula
default-src 'self'; script-src 'self' 'unsafe-inline' https://apis.google.com; style-src 'self' 'unsafe-inline';

A standard Content Security Policy is composed of a series of directives separated by semicolons:

Deploying Your Content Security Policy

Depending on your infrastructure, there are multiple options to install your constructed CSP:

Practical Examples

Nginx Configuration Block

    HTML Meta Tag Block

      Frequently Asked Questions

      What is a Content Security Policy (CSP)?

      A Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or malware distribution.

      How does a CSP defend against Cross-Site Scripting (XSS)?

      A CSP enables server administrators to restrict the resources (such as JavaScript, CSS, Images) that the browser is allowed to load for a given page. By blocking unauthorized script origins or banning unsafe inline scripts, XSS vectors are successfully mitigated.

      What is the difference between an HTTP header and an HTML meta tag CSP?

      An HTTP header is sent by the web server and is the most secure way to deliver a CSP. A meta tag is embedded inside the HTML head block. Note that some directives, such as 'frame-ancestors', 'report-uri', and 'sandbox' are not supported inside HTML meta tags.

      What is CSP 'Report-Only' mode?

      Report-Only mode instructs the browser to report violations to a specified 'report-uri' endpoint without actually blocking any resources. This is essential for testing new policies on production systems before enforcing them.

      Why is 'unsafe-inline' discouraged?

      Allowing 'unsafe-inline' in your script-src directive permits the execution of inline