CSP Header Builder

Interactively build a Content-Security-Policy header. Choose directives, add sources, get real-time grading and security tips.

Presets:

Fetch Directives

Fetch

Fallback for other fetch directives. Start strict, then relax specific directives.

Fetch

Controls which scripts can execute. Critical for XSS prevention.

Fetch

Controls which stylesheets can be applied.

Fetch

Controls which images can be loaded.

Fetch

Controls which fonts can be loaded.

Fetch

Controls fetch, XHR, WebSocket, and EventSource connections.

Fetch

Controls audio and video sources.

Fetch

Controls plugins (Flash, Java). Should be 'none' on modern sites.

Fetch

Controls which URLs can be loaded in iframes.

Fetch

Controls web workers and nested browsing contexts.

Fetch

Controls Worker, SharedWorker, and ServiceWorker scripts.

Fetch

Controls which manifests can be loaded.

Navigation Directives

Navigation

Controls who can embed this page. Replaces X-Frame-Options.

Navigation

Controls where forms can submit. Prevents form hijacking.

Navigation

Restricts URLs for <base> element. Prevents base tag injection.

Navigation

Restricts URLs the document can navigate to.

Additional Options

upgrade-insecure-requests

Automatically upgrade HTTP requests to HTTPS

block-all-mixed-content

Block all HTTP content on HTTPS pages (deprecated in favor of upgrade-insecure-requests)

Report-Only Mode

Use Content-Security-Policy-Report-Only header (log violations without blocking)

report-uri (optional)

Security Grade

Recommendations

Add default-src as a fallback policy

Add script-src to control script execution

Add object-src: 'none' to block plugins

Add base-uri: 'self' to prevent base tag injection

Add frame-ancestors to prevent clickjacking

Generated Header

No directives configured

Enable directives and add sources to generate your CSP header.

What is Content-Security-Policy?

Content-Security-Policy (CSP) is an HTTP response header that helps prevent Cross-Site Scripting (XSS), clickjacking, and other code injection attacks. It works by specifying which content sources the browser should trust, effectively creating an allowlist of trusted origins for scripts, styles, images, and more.

How to Use This Builder

Start with a preset — Strict is recommended for new policies
Customize directives — Add your CDN domains, API endpoints, etc.
Check the grade — Aim for A or higher
Test in report-only mode first — Deploy without breaking your site
Validate with our CSP Evaluator — Check for known bypasses

← Back to Tools

CSP Header Builder

Interactively build a Content-Security-Policy header. Choose directives, add sources, get real-time grading and security tips.

Presets:

Fetch Directives

Fetch

Fallback for other fetch directives. Start strict, then relax specific directives.

Fetch

Controls which scripts can execute. Critical for XSS prevention.

Fetch

Controls which stylesheets can be applied.

Fetch

Controls which images can be loaded.

Fetch

Controls which fonts can be loaded.

Fetch

Controls fetch, XHR, WebSocket, and EventSource connections.

Fetch

Controls audio and video sources.

Fetch

Controls plugins (Flash, Java). Should be 'none' on modern sites.

Fetch

Controls which URLs can be loaded in iframes.

Fetch

Controls web workers and nested browsing contexts.

Fetch

Controls Worker, SharedWorker, and ServiceWorker scripts.

Fetch

Controls which manifests can be loaded.

Navigation Directives

Navigation

Controls who can embed this page. Replaces X-Frame-Options.

Navigation

Controls where forms can submit. Prevents form hijacking.

Navigation

Restricts URLs for <base> element. Prevents base tag injection.

Navigation

Restricts URLs the document can navigate to.

Additional Options

upgrade-insecure-requests

Automatically upgrade HTTP requests to HTTPS

block-all-mixed-content

Block all HTTP content on HTTPS pages (deprecated in favor of upgrade-insecure-requests)

Report-Only Mode

Use Content-Security-Policy-Report-Only header (log violations without blocking)

report-uri (optional)

Security Grade

Recommendations

Add default-src as a fallback policy

Add script-src to control script execution

Add object-src: 'none' to block plugins

Add base-uri: 'self' to prevent base tag injection

Add frame-ancestors to prevent clickjacking

Generated Header

No directives configured

Enable directives and add sources to generate your CSP header.

What is Content-Security-Policy?

How to Use This Builder

Start with a preset — Strict is recommended for new policies
Customize directives — Add your CDN domains, API endpoints, etc.
Check the grade — Aim for A or higher
Test in report-only mode first — Deploy without breaking your site
Validate with our CSP Evaluator — Check for known bypasses