default-src
Fallback source list for everything not set explicitly.
Build safer Content-Security-Policy headers, parse violation reports, audit risky directives, and export server-ready snippets locally in your browser.
Fallback source list for everything not set explicitly.
Controls JavaScript execution and external script loading.
Controls stylesheets and inline style allowances.
Allows images, favicons, SVGs, and image beacons.
Covers fetch, XHR, EventSource, and WebSocket targets.
Controls webfont file loading.
Plugin and embedded object execution surface.
Restricts the document base URL.
Controls who can embed your page in a frame.
Limits where forms are allowed to submit data.
Legacy endpoint for violation reporting.
The parser extracts directives, blocked origins, inline/eval hints, and safer follow-up suggestions without enabling risky options automatically.
Paste a violation message to let the tool suggest the affected directive and add blocked origins where that is safe.
Policy posture
This draft avoids the most dangerous CSP allowances and is ready for environment-specific tuning.
Content-Security-Policy
default-src 'self'; script-src 'self' 'nonce-rAnd0m'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-rAnd0m'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';CSP workflow
Use explicit hostnames and strong defaults before broad wildcards. That keeps the policy explainable and easier to debug later.
Deploy a draft policy in report-only mode, capture violations, and tighten missing sources before switching to active enforcement.
Inline script and eval allowances are convenient but risky. Nonces and hashes preserve stronger XSS protection while still supporting legitimate code paths.
How it works
Use this free CSP header builder to create Content-Security-Policy rules with safer defaults, directive-level controls, and instant server-ready exports. Instead of stitching together a header from scattered docs, you can choose allowed sources visually, review the generated policy, and copy it as a raw HTTP header, meta tag, Nginx snippet, Apache rule, Helmet config, or Next.js header block.
The page is designed to help with real-world policy work, not just basic string generation. It includes a violation parser for browser console messages and CSP report payloads, a risk audit that flags dangerous values such as unsafe-inline, unsafe-eval, broad wildcard sources, and weak object-src settings, and a strict baseline mode that nudges the policy closer to modern CSP guidance.
CSP mistakes can block analytics, fonts, APIs, or embedded content while weak CSPs can leave XSS paths open. That is why this builder keeps the configuration, audit, and exports on the same screen. You can experiment with directives, understand which rule is creating risk, and move directly into server implementation without leaving the page.
Everything on this page runs locally in your browser. Your directives, pasted console logs, and draft policy values are not uploaded. Use the output as a strong starting point, then validate the final policy in the actual environment where your application runs because real CSP behavior depends on your scripts, styles, third-party services, and deployment stack.