CSP Generator

Interactively generate Content Security Policy headers

Related Categories:Web

Presets:StrictModerateLegacy Support

Directive Configuration

default-src

script-src

style-src

img-src

font-src

connect-src

media-src

frame-src

object-src

base-uri

form-action

frame-ancestors

report-uri

Warnings & Info

Missing default-src: browsers will not enforce CSP without it.

Consider setting object-src to 'none' to prevent plugin-based attacks (Flash, Java).

Consider setting base-uri to prevent base tag injection attacks.