🛡️Security

CSP Header Generator

Generate Content-Security-Policy headers with directive editor, presets, security scoring, and multi-format output.

Presets

Security Score

95/100

!'unsafe-inline' in style-src allows inline styles (lower risk than scripts)

Directives

default-src

'self'

script-src

'self'https://cdn.jsdelivr.nethttps://cdnjs.cloudflare.com

style-src

'self''unsafe-inline'https://fonts.googleapis.com

img-src

'self'data:https:

font-src

'self'https://fonts.gstatic.com

connect-src

'self'

media-src

'self'

frame-src

'self'

object-src

'none'

base-uri

'self'

form-action

'self'

frame-ancestors

'self'

Boolean Directives

upgrade-insecure-requestsblock-all-mixed-content

CSP Header

default-src 'self'; script-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self'; media-src 'self'; frame-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests

HTML Meta Tag

Nginx

add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self'; media-src 'self'; frame-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests";

Apache

Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self'; media-src 'self'; frame-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests"

Back to all tools