HomeCSP Policy Generator

CSP Policy Generator

Generate Content Security Policy with directive toggles and presets, output meta tag, response header, and Nuxt config snippet for XSS protection

CSP Policy Configuration

default-srcDefault policy
script-srcScript sources
style-srcStyle sources
img-srcImage sources
connect-srcAPI connections
font-srcFont sources
frame-srcIframe sources
media-srcMedia sources
object-srcObject sources
Other DirectivesGlobal hardening

Generated CSP Policy

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; font-src 'self' data:; frame-src 'none'; media-src 'self'; object-src 'none'; upgrade-insecure-requests">
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; font-src 'self' data:; frame-src 'none'; media-src 'self'; object-src 'none'; upgrade-insecure-requests

Policy Preview

default-src'self'
script-src'self'
style-src'self'
img-src'self' data:
connect-src'self'
font-src'self' data:
frame-src'none'
media-src'self'
object-src'none'
base-uri(not set)
form-action(not set)
upgrade-insecure-requestsenabled
block-all-mixed-content(not set)

Usage Notes

  • default-src is the fallback policy; unset directives inherit it.
  • Avoid unsafe-inline for script-src and style-src when possible.
  • In production, start with Report-Only to observe violations.
  • Tighten the policy step by step to keep features working.

Documentation

What is the CSP Policy Generator

CSP (Content Security Policy) limits where the browser can load resources, reducing XSS and injection risks. This tool builds deploy-ready policy strings and sample configs.

Highlights

  • Presets for strict, balanced, and development modes.
  • Toggle common directives and add custom sources.
  • Outputs meta tag, response header, and Nuxt config snippet.
  • Live preview of effective sources per directive.

How to Use

  1. Choose a preset or configure directives manually.
  2. Add custom sources and confirm unsafe options if needed.
  3. Copy the response header or meta tag into your app.
  4. Tighten the policy gradually based on reports and behavior.

Security Tips

  • Prefer response headers in production; they override meta tags.
  • Avoid unsafe-inline and unsafe-eval in production.
  • Use nonce or hash for third-party scripts.
  • Keep static assets on trusted domains or CDN.

Data is processed locally in your browser by default and will not be uploaded to any server. Upload will be clearly indicated if required.

© 2026 See-Tool. All rights reserved. | Contact Us