Content Security Policy Generator
Build Content Security Policy headers interactively. Toggle directives like script-src, style-src, and img-src, select allowed source tokens, and add custom origins. Instantly outputs your CSP as an HTTP header, meta tag, Nginx directive, or Apache header.
How to Use Content Security Policy Generator
How to Use the Content Security Policy Generator
Step 1: Enable Directives
Each card represents a CSP directive. Toggle a directive ON to include it in your policy. Start with the basics:
- default-src — The catch-all fallback. Set this first; it applies to any directive you leave off.
- script-src — Controls where JavaScript can load from. The most critical directive for XSS protection.
- style-src — Controls CSS sources.
- img-src — Controls image sources.
data:is often needed for inline base64 images. - object-src — Set this to
noneto block plugins like Flash.
Step 2: Choose Source Keywords
Click the chips to toggle source keywords on or off:
| Keyword | Meaning |
|---|---|
self | Same origin only — recommended baseline |
none | Block all sources |
https: | Any HTTPS source |
data: | data: URIs |
blob: | blob: URLs |
unsafe-inline | Allow inline code/styles — reduces security ⚠️ |
unsafe-eval | Allow eval() — reduces security ⚠️ |
strict-dynamic | Trust hashed/nonce scripts to load others |
* | Wildcard — any source — avoid in production ⚠️ |
Step 3: Add Custom Origins
For each directive, type specific allowed origins in the text field — space-separated:
https://cdn.example.com https://fonts.googleapis.com
Step 4: Copy in Your Preferred Format
| Format | When to use |
|---|---|
| Value | Paste directly into server config |
| HTTP Header | Full header string with directive name |
| Meta tag | Embed in HTML head |
| Nginx | Paste into nginx.conf server block |
| Apache | Paste into .htaccess or virtual host config |
Report-Only Mode
Enable Report-Only mode to test your policy without blocking anything. The browser logs violations but does not enforce the policy. Add a report-uri to receive violation reports at an endpoint you control.
Recommended Starting Point
default-src self; script-src self; style-src self; img-src self data:; object-src none; base-uri self
Once deployed in Report-Only mode, monitor violations for a week, then switch to enforcing.
Frequently Asked Questions
Most Viewed Tools
TOTP Code Generator
Generate time-based one-time passwords from a TOTP secret key. Enter your base32 secret, choose a period and digit length, and get the current and next codes with a live countdown timer. Useful for testing and debugging 2FA integrations.
Use Tool →Password Entropy Calculator
Calculate the information-theoretic bit entropy of any password or API key. Detects character set pools automatically, shows the total number of possible combinations, and estimates crack time across five attack scenarios from rate-limited web logins to GPU cracking clusters.
Use Tool →Screen Size Converter
Calculate screen width and height from diagonal size and aspect ratio. Convert between inches and centimeters for displays, TVs, and monitors with instant dimension calculations.
Use Tool →SSH Key Generator
Generate Ed25519 and RSA 4096-bit SSH key pairs entirely in your browser. Keys are never sent to any server — 100% client-side using the Web Crypto API.
Use Tool →PGP Key Generator
Generate PGP public and private key pairs for email encryption and code signing. Supports ECC (Curve25519) and RSA up to 4096-bit. Entirely browser-side — keys never leave your device.
Use Tool →DPI Calculator
Calculate DPI (dots per inch), image dimensions, and print sizes. Convert between pixels and physical dimensions for printing and displays.
Use Tool →Paper Size Converter
Convert between international paper sizes (A4, Letter, Legal) with dimensions in mm, cm, and inches. Compare ISO A/B series and North American paper standards.
Use Tool →Reorder PDF Pages
Drag and drop to rearrange PDF pages in any order. Upload your PDF, preview all pages as thumbnails, drag pages to reorder them, and download the rearranged PDF. Fast, visual, and privacy-focused.
Use Tool →Related Privacy & Security Tools
PGP Key Generator
Generate PGP public and private key pairs for email encryption and code signing. Supports ECC (Curve25519) and RSA up to 4096-bit. Entirely browser-side — keys never leave your device.
Use Tool →TOTP Code Generator
Generate time-based one-time passwords from a TOTP secret key. Enter your base32 secret, choose a period and digit length, and get the current and next codes with a live countdown timer. Useful for testing and debugging 2FA integrations.
Use Tool →Password Entropy Calculator
Calculate the information-theoretic bit entropy of any password or API key. Detects character set pools automatically, shows the total number of possible combinations, and estimates crack time across five attack scenarios from rate-limited web logins to GPU cracking clusters.
Use Tool →SSH Key Generator
Generate Ed25519 and RSA 4096-bit SSH key pairs entirely in your browser. Keys are never sent to any server — 100% client-side using the Web Crypto API.
Use Tool →API Key Generator
Generate secure, cryptographically random API keys for authentication and authorization. Create custom API keys with various formats including hex, base64, and prefixed keys.
Use Tool →RSA Key Generator
Generate secure RSA public/private key pairs for encryption, digital signatures, and authentication. Create 1024 to 4096-bit RSA keys instantly in your browser.
Use Tool →PIN Generator
Generate secure numeric PINs for devices, accounts, and security systems. Create random PINs with strength analysis and security recommendations.
Use Tool →Webhook Signature Verifier
Compute and verify HMAC webhook signatures in your browser. Supports HMAC-SHA256, SHA-512, and SHA-1 with hex or base64 encoding. Compatible with Stripe, GitHub, Twilio, and any HMAC-signed webhook.
Use Tool →Share Your Feedback
Help us improve this tool by sharing your experience