CSP Header Builder

Build safer Content-Security-Policy headers, parse violation reports, audit risky directives, and export server-ready snippets locally in your browser.

Browser-BasedResponsive UIPrivacy-First
Privacy: CSP directives, violation logs, and exported snippets stay local in your browser. Nothing is uploaded.

Quick presets

Start from a realistic security posture, then tighten or relax directives with the live audit beside you.

Click a preset to load it

Policy Builder

Strict baseline is active. The builder favors nonce-style script handling instead of enabling unsafe-inline by default.

default-src

Fallback source list for everything not set explicitly.

script-src

Controls JavaScript execution and external script loading.

style-src

Controls stylesheets and inline style allowances.

img-src

Allows images, favicons, SVGs, and image beacons.

connect-src

Covers fetch, XHR, EventSource, and WebSocket targets.

font-src

Controls webfont file loading.

object-src

Plugin and embedded object execution surface.

base-uri

Restricts the document base URL.

frame-ancestors

Controls who can embed your page in a frame.

form-action

Limits where forms are allowed to submit data.

report-uri

Legacy endpoint for violation reporting.

Violation Parser

The parser extracts directives, blocked origins, inline/eval hints, and safer follow-up suggestions without enabling risky options automatically.

Paste a violation message to let the tool suggest the affected directive and add blocked origins where that is safe.

Policy posture

Safer Baseline

This draft avoids the most dangerous CSP allowances and is ready for environment-specific tuning.

Risk score18 / 100
EnforcedStrict baseline

Risk Audit

OK
Policy looks reasonably locked down

No high-risk script execution or wildcard patterns are currently enabled.

Generated Header

Content-Security-Policy

default-src 'self'; script-src 'self' 'nonce-rAnd0m'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';

Export Snippet

HTTP Header
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-rAnd0m'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';

CSP workflow

Build, test, report, then enforce

Start with an allowlist

Use explicit hostnames and strong defaults before broad wildcards. That keeps the policy explainable and easier to debug later.

Use report-only mode first

Deploy a draft policy in report-only mode, capture violations, and tighten missing sources before switching to active enforcement.

Prefer nonces over unsafe-inline

Inline script and eval allowances are convenient but risky. Nonces and hashes preserve stronger XSS protection while still supporting legitimate code paths.

How it works

How this CSP header builder works

Use this free CSP header builder to create Content-Security-Policy rules with safer defaults, directive-level controls, and instant server-ready exports. Instead of stitching together a header from scattered docs, you can choose allowed sources visually, review the generated policy, and copy it as a raw HTTP header, meta tag, Nginx snippet, Apache rule, Helmet config, or Next.js header block.

The page is designed to help with real-world policy work, not just basic string generation. It includes a violation parser for browser console messages and CSP report payloads, a risk audit that flags dangerous values such as unsafe-inline, unsafe-eval, broad wildcard sources, and weak object-src settings, and a strict baseline mode that nudges the policy closer to modern CSP guidance.

CSP mistakes can block analytics, fonts, APIs, or embedded content while weak CSPs can leave XSS paths open. That is why this builder keeps the configuration, audit, and exports on the same screen. You can experiment with directives, understand which rule is creating risk, and move directly into server implementation without leaving the page.

Everything on this page runs locally in your browser. Your directives, pasted console logs, and draft policy values are not uploaded. Use the output as a strong starting point, then validate the final policy in the actual environment where your application runs because real CSP behavior depends on your scripts, styles, third-party services, and deployment stack.