Content-Security-Policy Generator

Build a strong CSP header with a visual editor. Copy-paste ready for Nginx, Apache, Express, or Next.js. Start with the safe defaults and adjust per directive.

default-src

Default source for all resource types

script-src

Allowed sources for JavaScript

style-src

Allowed sources for CSS

img-src

Allowed sources for images

font-src

Allowed sources for fonts

connect-src

Allowed endpoints for fetch, XHR, WebSocket

frame-src

Allowed sources for <iframe>

media-src

Allowed sources for <audio> and <video>

object-src

Allowed sources for plugins (keep 'none')

Generated CSP header

default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-src 'none'; media-src 'self'; object-src 'none'

Usage examples

Nginx

add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-src 'none'; media-src 'self'; object-src 'none'";

Express (helmet)

res.setHeader('Content-Security-Policy', 'default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-src 'none'; media-src 'self'; object-src 'none'');

Test your CSP on a live site with our header checker.

Run Full Scan