Build Content-Security-Policy headers visually. No more syntax headaches.
Content Security Policy (CSP) is an HTTP header that tells browsers which sources of content are allowed to load on your page. It's the most effective defense against Cross-Site Scripting (XSS) attacks — if a malicious script is injected into your page, CSP prevents it from executing if its source isn't whitelisted.
CSP works through directives that control specific resource types: script-src for JavaScript, style-src for CSS, img-src for images, and default-src as a fallback. The value 'self' means "same origin only," while 'none' blocks the resource type entirely.
The most impactful quick win is script-src 'self' — this blocks all inline scripts and scripts from other domains. For sites using Google Fonts, analytics, or CDNs, you'll need to add those domains explicitly. object-src 'none' blocks Flash and other plugins. This tool lets you build the header visually instead of memorizing the syntax.
This tool in other languages:
Français:
Générateur d'en-tête CSP
Español:
Generador de encabezado CSP
Deutsch:
CSP-Header-Generator
Português:
Gerador de cabeçalho CSP
日本語:
CSPヘッダージェネレーター
中文:
CSP 安全策略头生成器
한국어:
CSP 헤더 생성기
العربية:
مولد رأس CSP