KitMul MarkKitMul Text

Build Content Security Policy

Generate CSP headers interactively with all directives, presets, and output for HTTP headers, meta tags, Nginx, Apache, and Express.

Build and configure Content Security Policy (CSP) headers visually with an interactive directive editor. Add sources per directive, preview your policy live, and export as HTTP headers, HTML meta tags, Nginx, Apache, or Express.js configurations. All processing happens in your browser.

Loading...
Your data stays in your browser
Was this tool useful?
Tutorial

How to Build a CSP Header

1
1

Choose Directives

Start with default-src and add more directives like script-src, style-src, or img-src for granular control.

2
2

Add Allowed Sources

Click preset values like 'self' or 'none', or type custom domains to whitelist specific origins for each directive.

3
3

Export the Policy

Switch between output tabs to copy the CSP as an HTTP header, meta tag, or server configuration snippet.

Guide

Complete Guide to Content Security Policy

Why CSP Matters for Web Security

Content Security Policy is one of the most effective defenses against cross-site scripting (XSS) attacks. By declaring exactly which sources can load scripts, styles, images, and other resources, you create a whitelist that browsers enforce automatically. Even if an attacker injects malicious code into your page, the browser refuses to execute it because the source is not in your policy.

Understanding CSP Directives

Each directive controls a specific resource type. The default-src directive acts as a fallback for any unspecified type. The script-src directive governs JavaScript sources, style-src handles CSS, and img-src controls images. More specialized directives like connect-src restrict fetch and XMLHttpRequest targets, while frame-ancestors determines which sites can embed yours in an iframe.

Common Source Values Explained

The value 'self' allows content from your own origin. The value 'none' blocks everything for that directive. For inline scripts, 'unsafe-inline' permits them but weakens security; prefer nonce-based or hash-based approaches. The 'strict-dynamic' value trusts scripts loaded by already-trusted scripts, simplifying CDN usage while maintaining protection against injected code.

Deploying CSP in Production

Start with Content-Security-Policy-Report-Only to collect violation reports without breaking functionality. Analyze the reports, adjust your policy, and then switch to the enforcing header. Use report-uri or report-to directives to send violations to a logging endpoint. Monitor regularly because new third-party integrations or code changes may trigger unexpected blocks.

Sources

Examples

CSP Configuration Examples

Basic Secure Website

A website that only loads its own resources and uses Google Fonts.

1

Set default-src to 'self'

2

Set font-src to 'self' fonts.gstatic.com

3

Set style-src to 'self' fonts.googleapis.com

default-src 'self'; font-src 'self' fonts.gstatic.com; style-src 'self' fonts.googleapis.com

E-commerce with Analytics

An online store using Google Analytics, Stripe payments, and a CDN for images.

1

Set default-src to 'self'

2

Set script-src to 'self' www.googletagmanager.com js.stripe.com

3

Set connect-src to 'self' www.google-analytics.com api.stripe.com

4

Set img-src to 'self' cdn.example.com data:

5

Set frame-src to js.stripe.com

default-src 'self'; script-src 'self' www.googletagmanager.com js.stripe.com; connect-src 'self' www.google-analytics.com api.stripe.com; img-src 'self' cdn.example.com data:; frame-src js.stripe.com

Use Cases

CSP Use Cases

Block Mixed Content

Set default-src to 'self' and upgrade-insecure-requests to force HTTPS across all resources. This prevents browsers from loading HTTP assets on HTTPS pages, eliminating mixed content warnings and improving security posture.

Restrict Third-Party Scripts

Configure script-src to allow only 'self' and specific CDN domains like cdn.jsdelivr.net. This blocks inline scripts and unknown third-party code, significantly reducing the attack surface for cross-site scripting vulnerabilities.

Lock Down Iframes

Use frame-ancestors 'none' to prevent your site from being embedded in iframes on other domains. This provides clickjacking protection similar to X-Frame-Options DENY but with more flexibility for whitelisting trusted parents.

Frequently Asked Questions

?What is a Content Security Policy?

CSP is an HTTP header that tells browsers which sources of content are allowed on your page, preventing XSS and data injection attacks.

?What does default-src control?

It acts as a fallback for all resource types. If a specific directive like script-src is not set, the browser uses default-src instead.

?Should I use 'unsafe-inline' in script-src?

Avoid it when possible because it allows inline scripts, which weakens XSS protection. Use nonces or hashes as safer alternatives instead.

?Can I test my CSP before deploying?

Yes. Use Content-Security-Policy-Report-Only header first. It logs violations without blocking resources, letting you fine-tune your policy safely.

?What is the difference between HTTP header and meta tag?

Both deliver the same policy. The HTTP header is preferred because meta tags do not support frame-ancestors and report-uri directives.

?Is my data private?

Yes. Everything runs locally in your browser. No data is sent to any server. Your CSP configuration never leaves your machine.

?Is this tool free?

Yes. Completely free with no limits, no sign-up required. Build as many policies as you need without any restrictions.

Help us improve

How do you like this tool?

Every tool on Kitmul is built from real user requests. Your rating and suggestions help us fix bugs, add missing features and build the tools you actually need.

Rate this tool

Tap a star to tell us how useful this tool was for you.

Suggest an improvement or report a bug

Missing a feature? Found a bug? Have an idea? Tell us and we'll look into it.

Related Tools

Generate Security Headers

Configure and generate HTTP security headers with a security grade score. Export for Nginx, Apache, and Express.js.

Try Tool

Encrypt and Decrypt with AES

Encrypt and decrypt text using AES-CBC or AES-GCM directly in your browser with the Web Crypto API.

Try Tool

Encode and Decode Base58

Encode text to Base58 and decode Base58 back to text using the Bitcoin alphabet.

Try Tool
Recommended Reading

Recommended Books on Web Security and CSP

Web Application Hacker's Handbook

Web Application Hacker's Handbook

Dafydd Stuttard

The Code Book

The Code Book

Simon Singh

Crypto: How the Code Rebels Beat the Government

Crypto: How the Code Rebels Beat the Government

Steven Levy

As an Amazon Associate we earn from qualifying purchases.

Boost Your Capabilities

Security Tools for Web Developers

YubiKey 5 NFC — Hardware Security Key for MFA

YubiKey 5 NFC — Hardware Security Key for MFA

Yubico

Apricorn Aegis Secure Key — 256-bit AES Encrypted USB Drive

Apricorn Aegis Secure Key — 256-bit AES Encrypted USB Drive

Apricorn

Kingston IronKey Vault — FIPS 197 Certified Encrypted Flash Drive

Kingston IronKey Vault — FIPS 197 Certified Encrypted Flash Drive

Kingston

As an Amazon Associate we earn from qualifying purchases.

Newsletter

Get Free Productivity Tips & New Tools First

Join makers and developers who care about privacy. Every issue: new tool drops, productivity hacks, and insider updates — no spam, ever.

Priority access to new tools
Unsubscribe anytime, no questions asked