CSP Header Generator

How It Works

Select a preset or start from scratch. Add directives from the full list of standard CSP directives, then configure each directive’s allowed sources using keyword buttons ('self', 'none', 'unsafe-inline', etc.) or by typing custom domain/URI values. Toggle Report-Only mode to test a policy without enforcing it. The output panel gives you three ready-to-use formats: the bare header value, the full HTTP header line, and an HTML meta tag.

You can also import an existing CSP string — paste any Content-Security-Policy header value (with or without the header name prefix) and the tool will parse it into the visual editor.

Features

• 6 presets: Strict, Moderate, Permissive, API Backend, SPA with CDN, WordPress
• All 20 standard directives: fetch, navigation, document, and reporting directives
• Keyword quick-add: one-click buttons for 'self', 'none', 'unsafe-inline', 'unsafe-eval', 'strict-dynamic', 'unsafe-hashes', 'wasm-unsafe-eval'
• Custom sources: add any domain, URL scheme (data:, https:), or wildcard (*)
• Report-Only toggle: switch between Content-Security-Policy and Content-Security-Policy-Report-Only
• Three output formats: bare header value, full HTTP header line, HTML meta tag
• Validation warnings: flags empty directives, 'none' combined with other values, conflicting 'unsafe-inline'+'strict-dynamic', 'unsafe-eval' usage, deprecated report-uri
• Import parser: paste an existing CSP string to load it into the visual editor
• Private: runs entirely in the browser — no data transmitted

Use Cases

• Building a CSP for a new site from a secure baseline
• Auditing and tightening an existing policy
• Generating the meta tag equivalent of a server-set CSP
• Testing report-only policies before full enforcement
• Understanding what each directive controls