CSP Header Generator
Build a Content Security Policy header from common directives, presets, reporting mode, and security checks.
CSP policy
Directives
Policy summary
Header nameContent-Security-Policy
Review 3 warnings before using this header in production.
Directives3
Warnings3
ModeEnforce
ReportingDisabled
Implementation notes
- Start in Report-Only mode when deploying CSP to an existing production site.
- Avoid unsafe-inline and unsafe-eval unless you have a migration plan for nonces or hashes.
- Tune script-src, connect-src, img-src, and frame-src against real browser reports before enforcing.
Warnings
- default-src is empty. Add a fallback source for unspecified resource types.
- object-src is not set to 'none'. Disable plugins unless you explicitly need them.
- No report URI is set. Add reporting before enforcing if you need rollout visibility.
Generated header
Ready to paste into server headersContent-Security-Policy: base-uri 'self'; frame-ancestors 'none'; upgrade-insecure-requests
Directive preview
| Directive | Value |
|---|---|
base-uri | 'self' |
frame-ancestors | 'none' |
upgrade-insecure-requests | |