DevBolt
Processed in your browser. Your data never leaves your device.

How do I build a Content Security Policy header online?

Configure 17 CSP directives (default-src, script-src, style-src, img-src, and more) using visual controls with source value options. Choose from framework presets for Next.js, React, WordPress, or API servers. See a real-time security analysis with a letter grade. Export as HTTP header, meta tag, or Nginx/Apache/Vercel/Netlify config. Everything runs in your browser.

Build strict CSP header
Input
default-src: 'self'
script-src: 'self'
style-src: 'self' 'unsafe-inline'
img-src: 'self' data:
connect-src: 'self' https://api.example.com
Output
Content-Security-Policy:
  default-src 'self';
  script-src 'self';
  style-src 'self' 'unsafe-inline';
  img-src 'self' data:;
  connect-src 'self'
    https://api.example.com;

CSP Header Builder

Build Content Security Policy headers visually with framework presets, security analysis, and multi-format output.

Directives

Fetch Directives

Document Directives

Navigation Directives

Output Format

Generated Policy

Content-Security-Policy: upgrade-insecure-requests

Security Analysis

No directives enabled. Enable at least default-src to start.

Policy Stats

0
Directives
25
Characters
0
Warnings

Related Guides

CSP Directives GuideCSP Framework ExamplesCommon CSP Issues

Tips & Best Practices

Pro Tip

Start with Content-Security-Policy-Report-Only

A misconfigured CSP breaks your site — scripts stop loading, styles disappear, images fail. Deploy as Content-Security-Policy-Report-Only first to log violations without blocking. Monitor report-uri endpoints for a week, fix legitimate sources, then switch to enforcing mode.

Common Pitfall

'unsafe-inline' for scripts defeats the purpose of CSP

script-src 'self' 'unsafe-inline' allows any inline <script> tag, which is exactly what XSS attacks inject. Use nonces (script-src 'nonce-abc123') or hashes instead. Most frameworks (Next.js, Nuxt) support CSP nonces. 'unsafe-inline' for styles is less dangerous but still not ideal.

Real-World Example

Build a CSP for Next.js with Google Analytics

Start with default-src 'self'; script-src 'self' 'nonce-{random}' https://www.googletagmanager.com; img-src 'self' https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com. Next.js 14+ supports nonce-based CSP via middleware. Test with Report-Only first.

Security Note

frame-ancestors replaces X-Frame-Options for clickjacking protection

frame-ancestors 'none' (equivalent to X-Frame-Options: DENY) prevents your site from being embedded in iframes on other domains. Unlike X-Frame-Options, CSP frame-ancestors supports multiple domains and is the modern standard. Set both for backward compatibility with older browsers.

Frequently Asked Questions

What is a Content Security Policy (CSP) and why do I need one?
A Content Security Policy is an HTTP response header that tells browsers which resources (scripts, styles, images, fonts, frames) are allowed to load on your page. CSP prevents cross-site scripting (XSS) attacks by blocking inline scripts and resources from unauthorized domains. Without CSP, an attacker who injects malicious JavaScript can steal user data, session cookies, and credentials. A properly configured CSP reduces XSS risk by 90% or more because even if injection occurs, the browser refuses to execute unauthorized scripts. DevBolt's CSP Builder helps you construct the header visually with directive dropdowns and framework-specific presets.
How do I create a Content Security Policy header?
Start with a restrictive default-src 'self' directive that only allows resources from your own domain, then add specific directives to allowlist trusted sources. Common directives include script-src for JavaScript, style-src for CSS, img-src for images, font-src for fonts, and connect-src for API endpoints. DevBolt's CSP Builder provides a visual interface where you select directives and add allowed sources without memorizing the syntax. Framework presets auto-configure common requirements like Google Fonts and analytics scripts. Test your policy in report-only mode first using Content-Security-Policy-Report-Only to log violations without blocking resources.
What does 'unsafe-inline' mean in CSP and should I avoid it?
The 'unsafe-inline' keyword allows inline scripts and styles to execute, which significantly weakens CSP protection against XSS attacks. With unsafe-inline enabled for script-src, any injected inline script can still run, defeating much of CSP's purpose. Avoid it whenever possible. Instead, use nonces that change on every page load, or hashes for specific inline scripts. For styles, unsafe-inline is more commonly needed because many CSS-in-JS libraries inject inline styles. If you must use unsafe-inline for styles, ensure script-src remains strict. DevBolt's builder warns when you select unsafe-inline and suggests nonce-based alternatives.

Related Generate Tools

SHD

Box Shadow Generator

Design CSS box shadows visually with multiple layers, presets, and live preview

FLX

Flexbox Generator

Build CSS flexbox layouts visually with live preview, item config, and presets

Grid

Grid Generator

Build CSS grid layouts visually with columns, rows, gap, item placement, and presets

◜◝

Border Radius Generator

Design CSS border-radius visually with per-corner controls, unit selection, and presets