SitePrivacyScore
Free lightweight tool, no login required

Free Content Security Policy (CSP) Generator

Easily scaffold a strict Content Security Policy to protect your site against Cross-Site Scripting (XSS) and data injection. Configure your allowed sources, generate the header, and add it to your server.

Why Do You Need a Content Security Policy?

A Content Security Policy (CSP) is an added layer of HTTP security that helps detect and mitigate certain types of attacks, primarily Cross-Site Scripting (XSS) and data injection attacks.

By defining a strict CSP, you tell the browser explicitly from which domains it is allowed to load executable scripts, stylesheets, fonts, and images. If an attacker manages to inject malicious code into your HTML, the browser will refuse to execute it because it doesn't match your policy.

Core Settings

Common Third-Party Access

Custom Directives

Comma separated. Defines where executable scripts can be loaded from.

Comma separated. URLs your scripts use via Fetch/XHR/WebSockets.

Related Tools and Guides

Security Headers Checker, Test Your Current CSPReferrer Policy Checker, Test Referrer LeakageRead Guide: Content Security Policy (CSP)

Verify your security policies in production

Generating a CSP is just the first step. Run a full SitePrivacyScore audit to see how your entire site behaves, check for missed trackers, and validate all your HTTP response headers.

Run Full Privacy AuditBrowse All Free Tools

For deeper runtime checks, run the full privacy audit →

Frequently Asked Questions

What is a Content Security Policy?+
CSP is a security mechanism implemented via an HTTP response header. It allows site administrators to declare approved sources of content that the browser may load. It was designed specifically to protect against Cross-Site Scripting (XSS) attacks.
How do I implement the generated CSP?+
The preferred and most secure way is to deliver the generated string as an HTTP response header (e.g., `Content-Security-Policy: default-src 'self' ...`). You can configure this in your web server (Apache, Nginx) or application framework. Alternatively, you can place it inside a `<meta>` tag in your HTML `<head>`, though some directives (like frame-ancestors) won't work.
What is Report-Only mode?+
Before enforcing a strict CSP and potentially breaking your site layout or scripts, you should use the `Content-Security-Policy-Report-Only` header. The browser will not block any resources, but it will send reports to an endpoint you specify whenever it detects a policy violation. This allows you to test the policy safely.
Why is 'unsafe-inline' considered bad practice?+
Using `'unsafe-inline'` allows the execution of inline `<script>` tags and inline event handlers (like `onclick`). If you allow this, you defeat the primary purpose of CSP, as an attacker can inject inline code elements into your page. It is highly recommended to move all scripts to external files.
What does 'default-src' do?+
The `default-src` directive serves as a fallback for the other fetch directives. If you don't explicitly define a rule for `font-src` or `script-src`, the browser will apply the rule specified in `default-src`. Setting it to `'self'` is a strong restrictive default.