CSP Generator
FreeGenerate Content Security Policy headers for your site
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'">
About CSP Generator
A Content Security Policy is one of the strongest defenses against cross-site scripting and injection attacks, but writing one by hand means juggling a dozen directives and the exact source syntax for each. This CSP Generator helps you build a valid policy by choosing the sources you trust for scripts, styles, images, fonts, and connections, then assembling them into a header you can paste into your server config.
Pick directives and allowed origins and ToolHub by Codaiman produces a ready-to-use Content-Security-Policy header. It is free, browser-based, and needs no signup, so you can draft a starting policy in minutes, tighten it as you learn what your site loads, and avoid the typos that silently break a policy or leave a directive wide open.
Common uses
- Drafting a first Content-Security-Policy for a new web app
- Allowlisting a CDN or analytics domain in the right directive
- Locking down which origins can load scripts and styles
- Generating a policy to test in report-only mode before enforcing
- Reviewing directive syntax while hardening an existing site
How to use
- 1
Configure options
Set your preferences using the options panel below.
- 2
Click Generate
Click the process button to generate your result instantly.
- 3
Copy or download
Copy the result to clipboard or download it directly to your device.
Why ToolHub?
- Industry-standard algorithms
- No data retention
- OWASP-aligned checks
FAQ
Should I start in enforcing or report-only mode?
Report-only mode lets you see what a policy would block without breaking your site, so it is the safer way to roll out a new CSP before you switch to enforcement.
Why is using unsafe-inline discouraged?
Allowing inline scripts undermines much of CSP's protection against cross-site scripting. Prefer nonces or hashes for inline code so you can keep a strict policy.
Will this policy work everywhere out of the box?
It produces valid syntax, but every site loads different resources. Test with your real pages and watch for blocked requests, since a too-strict policy can break legitimate content.
Can I use CSP Generator on mobile?
Yes — ToolHub is fully responsive and works on iPhone, Android, tablets and all modern browsers. No app install needed.