ZenovayTools

CSP Header Generator

Generate Content-Security-Policy headers with a visual editor. Pick directives, use presets, and copy the result.

5 of 5 uses remaining today

Generated Policy

HTTP Header
Content-Security-Policy: default-src 'self'
HTML Meta Tag
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
Zenovay

Track your website performance

Real-time analytics, session replay, heatmaps, and AI insights. 2-minute setup, privacy-first.

Try Zenovay Analytics — Free

Related Tools

Password GeneratorGenerate strong, random passwords with customizable length, characters, and complexity.
Password Strength CheckerCheck how strong your password is. Get an estimated crack time and improvement suggestions.
HMAC GeneratorGenerate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.
AES Encryption/DecryptionEncrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.

Frequently Asked Questions

What is Content-Security-Policy (CSP)?
CSP is an HTTP header that controls which resources a browser can load for a page. It helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks.
What does each directive do?
default-src is the fallback for all resource types. script-src controls JavaScript, style-src controls CSS, img-src controls images, connect-src controls fetch/XHR, font-src controls fonts, frame-src controls iframes, and form-action controls form submissions.
Should I use a CSP meta tag or HTTP header?
An HTTP header is preferred as it covers all content types. A meta tag works for basic policies but has limitations: it can't use frame-ancestors or report-uri directives.
What are common CSP values?
'self' allows same-origin only. 'none' blocks all. 'unsafe-inline' allows inline scripts/styles (not recommended). Specific domains like https://cdn.example.com whitelist that origin.