CSP Builder
Generate Content Security Policy headers visually — configure directives, use presets, export in any format
CSP Builder
Configure each directive below and copy the generated CSP policy in your preferred format.
Start from a Preset
Fallback for all fetch directives not explicitly set
Valid sources for JavaScript
Valid sources for stylesheets
Valid sources for images
Valid targets for fetch, XHR, WebSocket
Valid sources for fonts
Valid sources for nested browsing contexts (iframe)
Valid sources for audio and video
Valid sources for plugins (Flash, etc.)
Valid sources for Worker and SharedWorker scripts
Valid endpoints for form submissions
Valid parents that may embed this page
Restricts URLs for <base> element
Tool Features
Build production-ready Content Security Policies
Visual Builder
Configure each CSP directive with checkboxes and inputs
Policy Presets
Start from Strict, Moderate, Development, or WordPress templates
Validation
Highlights conflicts and insecure combinations automatically
Export Formats
Copy as HTTP header, meta tag, or raw CSP string
Generated CSP Policy
Content-Security-Policy — configure directives above to update
HTTP Header
Content-Security-Policy: upgrade-insecure-requests
HTML Meta Tag
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
Raw Policy String
upgrade-insecure-requests