06 / ToolsCSP Header Builder

CSP Header Builder.

Build Content-Security-Policy headers interactively with directive explanations and live preview.

Presets:
Quick add:

Fetch Directives

default-src Fallback for all fetch directives not explicitly set.
script-src Valid sources for JavaScript. Overrides default-src for scripts.
style-src Valid sources for stylesheets and CSS.
img-src Valid sources for images and favicons.
font-src Valid sources for fonts loaded via @font-face.
connect-src Valid targets for fetch, XHR, WebSocket, and EventSource.
media-src Valid sources for <audio> and <video> elements.
frame-src Valid sources for nested browsing contexts (<iframe>).
object-src Valid sources for <object> and <embed> elements. Recommend 'none'.

Document & Navigation Directives

base-uri Restricts URLs that can be used in <base> elements.
form-action Restricts URLs which can be used as form action targets.
frame-ancestors Valid parents that may embed this page. Replaces X-Frame-Options.

Other Directives

upgrade-insecure-requests Rewrites HTTP URLs to HTTPS automatically.
block-all-mixed-content Prevents loading any assets over HTTP on HTTPS pages.
Generated Header
Configure directives above to generate your CSP header.