Skip to main content
SlapMyWeb
Get started
Skip to tool
Security & Network tools/All tools
Security & Network

CSP Header Generator

Build Content-Security-Policy headers visually with presets and per-directive controls

default-src

Fallback for all fetch directives

script-src

Valid sources for JavaScript

style-src

Valid sources for stylesheets

img-src

Valid sources for images

font-src

Valid sources for fonts

connect-src

Valid targets for fetch/XHR/WebSocket

media-src

Valid sources for audio/video

frame-src

Valid sources for iframes

object-src

Valid sources for plugins (Flash, etc.)

base-uri

Valid URLs for <base> element

form-action

Valid targets for form submissions

frame-ancestors

Who can embed this page (clickjacking protection)

upgrade-insecure-requests

Auto-upgrade HTTP to HTTPS

Generated Header
Content-Security-Policy: default-src 'self'

What is CSP Header Generator?

A Content-Security-Policy (CSP) header tells browsers which resources are allowed to load on your page. It prevents XSS attacks, data injection and clickjacking by restricting scripts, styles, images, fonts and other resources to trusted sources. This tool lets you build CSP headers visually instead of writing the complex syntax by hand.

How to Use CSP Header Generator

  1. 1

    Start with a preset

    Choose Strict, Moderate or Permissive as a starting point based on your security needs.

  2. 2

    Configure directives

    Toggle source values for each directive. Add custom domains where needed.

  3. 3

    Test with Report-Only

    Enable Report-Only mode to test your policy without breaking your site.

  4. 4

    Copy and deploy

    Copy the generated header and add it to your server configuration.

Features

  • 13 CSP directives with visual toggles
  • 3 security presets (Strict, Moderate, Permissive)
  • Custom domain allowlisting per directive
  • Report-Only mode for safe testing
  • Apache, Nginx and meta tag output
  • Real-time header preview

Related Tools

Password Generator

Generate strong, random passwords with customizable length, symbols, numbers and uppercase letters.

Open tool

Password Strength Checker

Analyze password strength with entropy calculation, pattern detection and crack time estimation.

Open tool

HTTP Header Checker

View any URL's HTTP response headers including security headers, caching and server info.

Open tool

SSL Certificate Checker

Check SSL certificate expiry, issuer, chain and protocol for any domain. Verify HTTPS security.

Open tool

DNS Lookup

Query A, AAAA, MX, TXT, NS and CNAME records for any domain. View DNS configuration instantly.

Open tool

WHOIS Lookup

Look up domain registration details including registrar, creation date, expiry and nameservers.

Open tool
See all Security & Network tools

Frequently Asked Questions

What does Content-Security-Policy do?+
CSP tells browsers which sources are allowed to load scripts, styles, images and other resources. It is the most effective defense against XSS (cross-site scripting) attacks.
Should I start with Strict or Moderate?+
Start with Report-Only mode and a Moderate policy to see what would break. Once you have fixed all violations, switch to enforcement and tighten to Strict if possible.
What is unsafe-inline?+
unsafe-inline allows inline <script> and <style> tags. It weakens CSP significantly but is needed for many frameworks. Consider using nonces or hashes instead.
What is frame-ancestors?+
frame-ancestors controls who can embed your page in an iframe. Setting it to 'none' prevents clickjacking attacks. It replaces the older X-Frame-Options header.