CSP Builder

Generate Content Security Policy headers visually — configure directives, use presets, export in any format

CSP Builder

Configure each directive below and copy the generated CSP policy in your preferred format.

Start from a Preset

Global Options

Report-Only mode

Violations reported but not blocked

upgrade-insecure-requests

Rewrite HTTP URLs to HTTPS

block-all-mixed-content

Block HTTP assets on HTTPS pages

Directives0 / 13 configured

Fallback for all fetch directives not explicitly setKeywords

'none'

'self'

'unsafe-inline'

'unsafe-eval'

'strict-dynamic'

'report-sample'

↵ Enter

Valid sources for JavaScriptKeywords

'none'

'self'

'unsafe-inline'

'unsafe-eval'

'strict-dynamic'

'report-sample'

↵ Enter

Valid sources for stylesheetsKeywords

'none'

'self'

'unsafe-inline'

'unsafe-eval'

'strict-dynamic'

'report-sample'

↵ Enter

Valid sources for imagesKeywords

'none'

'self'

'unsafe-inline'

'unsafe-eval'

'strict-dynamic'

'report-sample'

↵ Enter

Valid targets for fetch, XHR, WebSocketKeywords

'none'

'self'

'unsafe-inline'

'unsafe-eval'

'strict-dynamic'

'report-sample'

↵ Enter

Valid sources for fontsKeywords

'none'

'self'

'unsafe-inline'

'unsafe-eval'

'strict-dynamic'

'report-sample'

↵ Enter

Valid sources for nested browsing contexts (iframe)Keywords

'none'

'self'

'unsafe-inline'

'unsafe-eval'

'strict-dynamic'

'report-sample'

↵ Enter

Valid sources for audio and videoKeywords

'none'

'self'

'unsafe-inline'

'unsafe-eval'

'strict-dynamic'

'report-sample'

↵ Enter

Valid sources for plugins (Flash, etc.)Keywords

'none'

'self'

'unsafe-inline'

'unsafe-eval'

'strict-dynamic'

'report-sample'

↵ Enter

Valid sources for Worker and SharedWorker scriptsKeywords

'none'

'self'

'unsafe-inline'

'unsafe-eval'

'strict-dynamic'

'report-sample'

↵ Enter

Valid endpoints for form submissionsKeywords

'none'

'self'

'unsafe-inline'

'unsafe-eval'

'strict-dynamic'

'report-sample'

↵ Enter

Valid parents that may embed this pageKeywords

'none'

'self'

'unsafe-inline'

'unsafe-eval'

'strict-dynamic'

'report-sample'

↵ Enter

Restricts URLs for <base> elementKeywords

'none'

'self'

'unsafe-inline'

'unsafe-eval'

'strict-dynamic'

'report-sample'

↵ Enter

Tool Features

Build production-ready Content Security Policies

Visual Builder

Configure each CSP directive with checkboxes and inputs

Policy Presets

Start from Strict, Moderate, Development, or WordPress templates

Validation

Highlights conflicts and insecure combinations automatically

Export Formats

Copy as HTTP header, meta tag, or raw CSP string

Generated CSP Policy

Content-Security-Policy — configure directives above to update

HTTP Header

Content-Security-Policy: upgrade-insecure-requests

HTML Meta Tag

Raw Policy String

upgrade-insecure-requests

Related Tools

Discover similar utilities

CSP Checker

Secure Header Checker

HSTS Checker

CORS Tester

CSP Builder

CSP Builder

Strict

Moderate

Development

WordPress

script-src

style-src

img-src

connect-src

font-src

frame-src

media-src

object-src

worker-src

form-action

frame-ancestors

base-uri

Tool Features

Visual Builder

Policy Presets

Validation

Export Formats

Generated CSP Policy

HTTP Header

HTML Meta Tag

Raw Policy String

Related Tools