CSP Generator

Build a Content Security Policy with a visual checkbox interface covering all major directives: default-src, script-src, style-src, img-src, font-src, connect-src, and more. Shows security score (0–100), warns about unsafe-inline and unsafe-eval, outputs ready-to-use header string, HTML meta tag, and Nginx config. Includes 5 presets for SPA, WordPress, Google Fonts, minimal, and development modes.

CSP Directives

default-src: Fallback for other directives. script-src: Where JavaScript can load from. style-src: Where CSS can load from. img-src: Where images can load from. font-src: Where fonts can load from. connect-src: Where fetch/XHR requests can go. frame-src: Where iframes can load from. object-src: Where plugins can load from. base-uri: Where tag can point to. form-action: Where forms can submit to. report-uri: Where violations are reported.

Source Values

'self': Same origin only. 'none': Nothing allowed. 'unsafe-inline': Inline scripts/styles (weak). 'unsafe-eval': eval() allowed (weak). 'strict-dynamic': Trust nonces/hashes. 'nonce-{random}': Specific random token. 'sha256-{hash}': Specific inline script hash. https://www.: Any HTTPS URL. https://www.example.com: Specific domain.

Security Score

0-100 rating based on policy strength. Penalties for: 'unsafe-inline' (-20), 'unsafe-eval' (-15), no 'strict-dynamic' (-10), wildcard '*' allowed (-25). Bonuses for: 'nonce-' or 'sha256-' (+15), 'report-uri' configured (+5).

Presets

SPA (Single Page App): Modern React/Vue configuration. WordPress: WordPress-specific with admin API allowances. Google Fonts: Includes fonts.googleapis.com and fonts.gstatic.com. Minimal: Very restrictive, least privilege. Development: Development-friendly with unsafe-eval and localhost.

Report-Only Mode

Start with Content-Security-Policy-Report-Only header to monitor violations without blocking. Allows testing policies in production safely. Violations are sent to report-uri endpoint.