CSP Header Generator

Build a Content Security Policy header from common directives, presets, reporting mode, and security checks.

CSP policy

Policy summary

Header nameContent-Security-Policy

Review 3 warnings before using this header in production.

Directives3
Warnings3
ModeEnforce
ReportingDisabled

Implementation notes

  • Start in Report-Only mode when deploying CSP to an existing production site.
  • Avoid unsafe-inline and unsafe-eval unless you have a migration plan for nonces or hashes.
  • Tune script-src, connect-src, img-src, and frame-src against real browser reports before enforcing.

Warnings

  • default-src is empty. Add a fallback source for unspecified resource types.
  • object-src is not set to 'none'. Disable plugins unless you explicitly need them.
  • No report URI is set. Add reporting before enforcing if you need rollout visibility.

Generated header

Ready to paste into server headers
Content-Security-Policy: base-uri 'self'; frame-ancestors 'none'; upgrade-insecure-requests

Directive preview

DirectiveValue
base-uri'self'
frame-ancestors'none'
upgrade-insecure-requests