Content Security Policy Builder

Create secure Content Security Policy headers for your website. This free tool helps you generate and understand CSP directives. Build your policies, fetch existing ones, and get human-readable explanations.

๐Ÿ”ฒ default-src

Serves as a fallback for the other fetch directives. Applies to all resources that don't have a more specific directive. Also controls inline scripts/styles and dynamic code execution if script-src/style-src are not set.

Available Prefixes:

nonce-Prefix for nonce values to allow specific inline scripts/styles. Example: nonce-abc123

Common Values:

'self'Allows loading resources from the same origin (same scheme, host and port)
'none'Prevents loading resources from any source
'unsafe-inline'Allows inline scripts/styles and event handlers (unsafe, use nonce/hash instead)
'unsafe-eval'Allows use of eval() and similar dynamic code execution
'unsafe-hashes'Allows inline event handlers using their hash values (safer than unsafe-inline)
'strict-dynamic'Allows scripts loaded by trusted scripts, ignoring allowlist
https:Allows loading resources from any source using HTTPS
wss:Allows secure WebSocket connections
http:Allows loading resources from any source using HTTP (insecure)
ws:Allows WebSocket connections (insecure)
blob:Allows loading resources via the blob: scheme (binary data)
data:Allows loading resources via the data: scheme (inline data)
file:Allows loading resources from the file system

๐Ÿ”ฒ script-src

Inherits from default-src if not set. Controls which scripts can be loaded and executed on the page. This includes inline scripts, event handlers, and dynamic code execution.

Available Prefixes:

nonce-Prefix for nonce values to allow specific inline scripts. Example: nonce-abc123
'sha256-'Prefix for SHA-256 hash values to allow specific inline scripts. Example: 'sha256-hashvalue'
'sha384-'Prefix for SHA-384 hash values to allow specific inline scripts. Example: 'sha384-hashvalue'
'sha512-'Prefix for SHA-512 hash values to allow specific inline scripts. Example: 'sha512-hashvalue'

Common Values:

'self'Allows loading scripts from the same origin
'none'Prevents loading scripts from any source
'unsafe-inline'Allows inline scripts and event handlers (unsafe, use nonce/hash instead)
'unsafe-eval'Allows use of eval() and similar dynamic code execution
'unsafe-hashes'Allows inline event handlers using their hash values (safer than unsafe-inline)
'strict-dynamic'Allows scripts loaded by trusted scripts, ignoring allowlist
https:Allows loading scripts from any source using HTTPS
blob:Allows scripts from blob: URLs
data:Allows scripts from data: URIs (highly discouraged)

๐Ÿ”ฒ style-src

Inherits from default-src if not set. Controls which stylesheets can be loaded on the page, including inline styles and style attributes.

Available Prefixes:

nonce-Prefix for nonce values to allow specific inline styles. Example: nonce-abc123
'sha256-'Prefix for SHA-256 hash values to allow specific inline styles. Example: 'sha256-hashvalue'
'sha384-'Prefix for SHA-384 hash values to allow specific inline styles. Example: 'sha384-hashvalue'
'sha512-'Prefix for SHA-512 hash values to allow specific inline styles. Example: 'sha512-hashvalue'

Common Values:

'self'Allows loading styles from the same origin
'none'Prevents loading styles from any source
'unsafe-inline'Allows inline styles and style attributes (unsafe, use nonce/hash instead)
https:Allows loading styles from any source using HTTPS
blob:Allows styles from blob: URLs
data:Allows styles from data: URIs

๐Ÿ”ฒ img-src

Inherits from default-src if not set. Controls which images can be loaded on the page.

Common Values:

'self'Allows loading images from the same origin
'none'Prevents loading images from any source
https:Allows loading images from any source using HTTPS
blob:Allows images from blob: URLs
data:Allows images from data: URIs (base64 encoded images)

๐Ÿ”ฒ connect-src

Inherits from default-src if not set. Controls which connections can be made using script interfaces (fetch, XHR, WebSocket, EventSource).

Common Values:

'self'Allows connections to the same origin
'none'Prevents all network connections
https:Allows connections to any source using HTTPS
wss:Allows secure WebSocket connections
ws:Allows WebSocket connections (insecure)
blob:Allows connections to blob: URLs
data:Allows connections to data: URIs

๐Ÿ”ฒ font-src

Inherits from default-src if not set. Controls which fonts can be loaded on the page.

Common Values:

'self'Allows loading fonts from the same origin
'none'Prevents loading fonts from any source
data:Allows fonts from data: URIs
https:Allows loading fonts from any source using HTTPS
blob:Allows fonts from blob: URLs

๐Ÿ”ฒ object-src

Inherits from default-src if not set. Controls which plugins can be loaded on the page (object, embed, applet).

Common Values:

'none'Prevents loading plugins from any source (recommended)
'self'Allows loading plugins from the same origin

๐Ÿ”ฒ media-src

Inherits from default-src if not set. Controls which media (audio and video) can be loaded on the page.

Common Values:

'self'Allows loading media from the same origin
'none'Prevents loading media from any source
https:Allows loading media from any source using HTTPS
blob:Allows media from blob: URLs
data:Allows media from data: URIs

๐Ÿ”ฒ frame-src

Inherits from default-src if not set. Controls which pages can be framed (iframe, frame).

Common Values:

'self'Allows framing pages from the same origin
https:Allows framing pages from any source using HTTPS
'none'Prevents framing from any source

๐Ÿ”ฒ frame-ancestors

Controls which pages can embed this page (protects against clickjacking).

Common Values:

'self'Allows embedding by pages from the same origin
'none'Prevents embedding by any page (most restrictive)
https:Allows embedding by any page using HTTPS

๐Ÿ”ฒ worker-src

Inherits from default-src if not set. Controls which scripts can be loaded as workers, shared workers, or service workers.

Common Values:

'self'Allows loading workers from the same origin
'none'Prevents loading any workers
blob:Allows workers from blob: URLs
data:Allows workers from data: URIs
https:Allows loading workers from any source using HTTPS

๐Ÿ”ฒ manifest-src

Inherits from default-src if not set. Controls which manifests can be loaded for the page.

Common Values:

'self'Allows loading manifests from the same origin
'none'Prevents loading manifests from any source
https:Allows loading manifests from any source using HTTPS

๐Ÿ”ฒ form-action

Controls which URLs can be used as the target of form submissions.

Common Values:

'self'Allows forms to submit to the same origin
https:Allows forms to submit to any HTTPS URL
'none'Prevents form submissions entirely

๐Ÿ”ฒ base-uri

Controls which URLs can be used as the base URL for the page.

Common Values:

'self'Allows only same-origin URLs as the base URL
'none'Prevents the use of base URLs

๐Ÿ”ฒ upgrade-insecure-requests

Instructs browsers to upgrade HTTP requests to HTTPS before fetching.
Not specified
Enabled

๐Ÿ”ฒ block-all-mixed-content

Blocks all mixed content (HTTP resources on HTTPS pages).
Not specified
Enabled

๐Ÿ”ฒ trusted-types

Controls which Trusted Types policies can be used (helps prevent DOM XSS).

Common Values:

'none'Disallows all Trusted Types policies
defaultAllows a default policy

๐Ÿ”ฒ sandbox

Enables a sandbox for the page, similar to the iframe sandbox attribute.

Common Values:

allow-formsAllows form submission
allow-scriptsAllows script execution
allow-same-originAllows same-origin requests
allow-popupsAllows popups
allow-top-navigationAllows navigation of the top-level browsing context

About Content Security Policy

Content Security Policy (CSP) is a critical security standard that helps protect websites from various attacks, including Cross-Site Scripting (XSS) and other code injection attacks. By specifying which content sources are trusted, CSP provides an additional layer of security for web applications.

Key CSP Features

Benefits of Using CSP

Getting Started with CSP

Content Security Policy implementation requires careful planning and understanding of your website's resource requirements. Start with these steps:

Best Practices