Content Security Policy Generator

Generate CSP headers to protect your website from XSS and injection attacks

Quick Templates:

Configure Directives

Fallback for other directives. Sets default policy for fetching resources.

'self'

Reporting Options

report-uri (deprecated but widely supported)

report-to (modern Reporting API)

HTTP Header

Content-Security-Policy: default-src 'self'

Meta Tag

Note: report-uri and report-to are not supported in meta tags

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

Directive Reference

'none'Blocks all resources of this type'self'Allows resources from same origin'unsafe-inline'Allows inline scripts/styles (not recommended)'unsafe-eval'Allows eval() and similar (not recommended)'strict-dynamic'Trusts scripts loaded by trusted scriptsdata:Allows data: URIshttps:Allows any HTTPS source

Security Best Practices

*Always set default-src as a fallback policy
*Avoid 'unsafe-inline' and 'unsafe-eval' when possible
*Use nonces or hashes instead of unsafe-inline for scripts
*Set object-src to 'none' to prevent plugin-based attacks
*Test your CSP in report-only mode first
*Specify exact domains instead of wildcards