CSP Builder

Compose a Content-Security-Policy header directive-by-directive. Quotes keywords automatically, lints risky combinations, emits header + meta-tag.

Input

How to fill in sources

Each directive takes a list of sources separated by spaces. No commas, no quotes around URLs.

Keywordsself, none, unsafe-inline, unsafe-eval
Bare or quoted — the tool wraps them in single quotes for you.
Same origin'self'
Scheme + host + port match the page.
URLshttps://cdn.example.com
Include the scheme. Port matters.
Wildcards*.example.com https://*.cdn.example.com
Subdomain wildcard. * alone allows any origin (avoid).
Schemesdata: blob: mediastream:
Note the trailing colon.
Noncesnonce-AbCdEf
Auto-quoted. Pair with a matching nonce attribute in your HTML.
Hashessha256-AbCd... sha384-... sha512-...
Auto-quoted. Base64 of the script/style body.
Block all'none'
Must be the only value in the directive.

default-srcFallback for fetch directives.
Example: 'self'
script-srcJavaScript sources.
Example: 'self' https://cdn.example.com 'nonce-abc123'
style-srcStylesheets and <style>.
Example: 'self' https://fonts.googleapis.com
img-srcImages.
Example: 'self' data: https://images.example.com
font-src@font-face sources.
Example: 'self' https://fonts.gstatic.com
connect-srcfetch / XHR / WebSocket / EventSource.
Example: 'self' https://api.example.com wss://api.example.com
frame-srcSources for <iframe> / <frame>.
Example: 'self' https://www.youtube.com
frame-ancestorsWho can frame this page (replaces X-Frame-Options).
Example: 'self'

Extrasupgrade-insecure-requestsAuto-rewrite http:// to https:// before fetching. Handy migration step.report-urideprecated in CSP3

Configure directives on the left.