What Is a CSP Header Generator?
A Content Security Policy (CSP) header generator helps you build the Content-Security-Policy HTTP response header. CSP is a security standard that prevents cross-site scripting (XSS), data injection, and other code injection attacks by specifying which content sources the browser should trust.
How to Use This CSP Generator
- Enable the directives you need using the checkboxes.
- Enter allowed sources for each directive (e.g.,
'self',https://cdn.example.com). - Click "Generate CSP Header" to build the complete header string.
- Copy the result and add it to your server configuration or meta tag.
Common CSP Source Values
Frequently used values include 'self' (same origin), 'none' (block all), 'unsafe-inline' (allow inline scripts/styles), 'unsafe-eval' (allow eval), data: (allow data URIs), and specific domain URLs. Combining multiple sources per directive gives fine-grained control over what the browser can load.
Frequently Asked Questions
What happens if I don't set a default-src?
Without default-src, unspecified directives have no restriction. It is best practice to set default-src 'self' as a fallback, then override specific directives as needed.
Can I use CSP with a meta tag instead of an HTTP header?
Yes, you can add <meta http-equiv="Content-Security-Policy" content="..."> in your HTML head. However, some directives like frame-ancestors only work as HTTP headers.