HomeCSP Policy Generator

CSP Policy Generator

Generate Content Security Policy with directive toggles and presets, output meta tag, response header, and Nuxt config snippet for XSS protection

CSP Policy Configuration

default-srcDefault policy
script-srcScript sources
style-srcStyle sources
img-srcImage sources
connect-srcAPI connections
font-srcFont sources
frame-srcIframe sources
media-srcMedia sources
object-srcObject sources
Other DirectivesGlobal hardening

Generated CSP Policy

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; font-src 'self' data:; frame-src 'none'; media-src 'self'; object-src 'none'; upgrade-insecure-requests">
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; font-src 'self' data:; frame-src 'none'; media-src 'self'; object-src 'none'; upgrade-insecure-requests

Policy Preview

default-src'self'
script-src'self'
style-src'self'
img-src'self' data:
connect-src'self'
font-src'self' data:
frame-src'none'
media-src'self'
object-src'none'
base-uri(not set)
form-action(not set)
upgrade-insecure-requestsenabled
block-all-mixed-content(not set)

Usage Notes

  • default-src is the fallback policy; unset directives inherit it.
  • Avoid unsafe-inline for script-src and style-src when possible.
  • In production, start with Report-Only to observe violations.
  • Tighten the policy step by step to keep features working.

Related Tools

CORS Config Generator
CSR Generator & Viewer
Nginx Config Generator
Secure Token Generator
CORS Tester
Meta Tag Generator
User Agent Generator
CSS Gradient Generator

Documentation

What is CSP Policy Generator

This tool helps you build Content Security Policy (CSP) rules visually, balancing security hardening and practical resource loading.

Key Features

  • Start from strict, balanced, or development presets.
  • Configure directives with selectable sources and custom entries.
  • Generate Meta tag, HTTP header, and Nuxt config output.
  • Preview directive status in real time and copy instantly.

Steps

  1. Pick a preset as the baseline.
  2. Tune directives like script-src and style-src.
  3. Copy the output format you need.
  4. Validate on real pages before production rollout.

FAQ

Why do some resources fail after enabling CSP?

Most often, required domains are missing in related directives, such as script hosts not listed in script-src.

Should I use Meta tag or HTTP header first?

For production, prefer HTTP response headers for broader and more reliable policy enforcement.

Data is processed locally in your browser by default and will not be uploaded to any server. Upload will be clearly indicated if required.

© 2026 See-Tool. All rights reserved. | Contact Us