CSP Header Generator

A Content Security Policy is an HTTP response header that lets you control which resources (scripts, styles, images, fonts, etc.) a browser is allowed to load for your page. You define an allowlist of trusted origins for each resource type. Browsers that support CSP enforce the policy and block anything not explicitly permitted. CSP is defined by the W3C and is supported in all modern browsers.

default-src is the catch-all fallback used for any resource type not given its own directive. script-src governs JavaScript sources; style-src governs CSS; img-src covers images; font-src covers web fonts; connect-src covers fetch, XHR, and WebSocket connections; media-src covers audio/video; object-src covers plugins like Flash; frame-src controls which origins can be loaded in iframes; base-uri restricts the URLs that can appear in a <base> element; form-action limits where forms may submit; frame-ancestors controls which pages may embed yours (replaces X-Frame-Options); report-uri specifies a URL where the browser will POST violation reports.

Cross-site scripting (XSS) attacks inject malicious scripts into a trusted page. CSP prevents this in two ways: first, by blocking inline scripts and eval() unless you explicitly allow 'unsafe-inline' or 'unsafe-eval' (which you should avoid); second, by whitelisting external script origins so that injected tags pointing to attacker-controlled domains are blocked. Combined with 'strict-dynamic', nonce-based CSP can allow specific inline scripts while still blocking injected ones. CSP is a defence-in-depth measure — it reduces the impact of XSS but does not replace input sanitisation.

The report-uri directive tells browsers to send a JSON POST request to a specified URL whenever a CSP violation occurs. This lets you monitor policy violations without breaking the site. A typical workflow is to first deploy the policy using the Content-Security-Policy-Report-Only header (which logs violations but does not enforce them), collect reports from your report-uri endpoint, refine the policy to eliminate false positives, then switch to the enforcing Content-Security-Policy header. Services like report-uri.com, Sentry, or a simple server endpoint can receive these reports.

Start with default-src 'none' and add only what you need. Set object-src 'none' to block plugins. Set base-uri 'self' to prevent base-tag injection. Avoid 'unsafe-inline' and 'unsafe-eval' — use nonces or hashes for inline scripts instead. Use 'strict-dynamic' with a nonce to allow trusted scripts to load further scripts without maintaining a long allowlist. Deploy report-uri first in report-only mode to discover what to allow before enforcing. Pair CSP with other headers: X-Frame-Options (or frame-ancestors), X-Content-Type-Options, and HSTS.