CSP generator
Compose a Content-Security-Policy header directive by directive, or start from a preset. Copy the header or meta tag — and see what each rule blocks.
~~~
Presets
~~~
Source values
Click a chip under a directive to append that source. You can also type hosts by hand (e.g. cdn.example.com) or fill “Optional CDN hosts” above — those get appended with each chip click.
~~~
Directives
~~~
Output
Meta tag
| Directive | Value | Blocks |
|---|---|---|
~~~
About this tool
Content-Security-Policy limits where scripts, styles, images, and connections may load from. It is one of the best defenses against XSS — if you avoid weakening it with unsafe-inline everywhere.
Start strict, use report-only to collect violations, then tighten. Nonces and hashes beat inline allowances for scripts you control.
~~~