CSP Generator

Create robust Content Security Policies (CSP) to defend your web application from cross-site scripting (XSS) and other code-injection attacks.

default-src

Fallback for other fetch directives.

script-src

Specifies valid sources for JavaScript.

style-src

Specifies valid sources for stylesheets.

img-src

Specifies valid sources for images and favicons.

connect-src

Restricts URLs which can be loaded using script interfaces (fetch, XHR, WebSockets).

font-src

Valid sources for fonts loaded via @font-face.

frame-ancestors

Valid parents that may embed a page (defends against clickjacking).

Generated CSP Policy

default-src 'self';
<meta http-equiv="Content-Security-Policy" content="...">

Pro-Tip

Always start with default-src 'self'. This denies everything unless explicitly allowed by other directives.

Understanding Directives

'self'

Allows loading resources from the same origin (same protocol, host, and port).

'unsafe-inline'

Allows the use of inline resources, such as inline <script> elements, attributes, and <style> elements.

upgrade-insecure-requests

Instructs browsers to treat all of a site's insecure URLs (those over HTTP) as though they have been replaced with secure URLs (over HTTPS).