Free CSP Generator (Content Security Policy Builder)
Build a Content-Security-Policy header from scratch · pick directives and sources, and get a copy-ready header with the risky options explained.
Frequently asked
What's a good starting CSP?
default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none' · then add specific script-src and style-src sources as needed. Start in Content-Security-Policy-Report-Only mode to find breakage before enforcing.
Why avoid unsafe-inline?
Because it re-enables exactly what CSP exists to block: injected inline scripts. If you need inline code, use nonces or hashes instead · 'unsafe-inline' in script-src reduces your CSP to decoration.
Run a full security scan →