Content Security Policy (CSP) Generator

Use this interactive tool to generate a proper CSP header for your website, to protect your user's privacy.

A Content-Security-Policy is an HTTP header that adds an extra layer of security to a website. It is used to protect users from Cross Site Scripting and Data Injection attacks. To learn more about CSP, please read our explanation of the CSP header.

To generate your CSP, please select from the options below and click the "Add" button for each directive that you want to include in your CSP.

Your CSP: Your CSP will appear here after you add some options below
A URL where a JSON formatted POST will be sent whenever a CSP violation occurs.
Choose the directive that you want to add to your CSP.
The fallback set of restrictions when no other applicable directive is set.
Values Choose the permitted values for this directive.
All content sources are valid. Not recommended unless you must provide content from unknown sources (ex: advertising).
Nothing is a valid content source. Blocks everything.
The current website is a valid content source, but not subdomains.
Allows inline script or style resources. Not recommended unless your must run inline scripts from unknown sources. If your site requires inline content, use a nonce or hash instead for more security.
Allows the usage of eval() to run scripts or create new CSS rules
Allows resources from specific URLs or schemes.
A randomly generated token used to approve specific scripts or styles. The single use token should be regenerated on each page load. Include the nonce in the tag that you want to permit: <script nonce="ABC123">...</script>
Allows specific scripts or styles to be run, as long as they haven't been modified.
A space separated list of URLs that are valid sources for content. You may use the * wildcard character to match multiple values and you may include schemes as well (https: or data: or https://*.example.com).
A SHA-256 hash of the file or block of code that you want to allow. To create the hash, attempt to load the file and check the browser's console error message. It will report the hash it was expecting to find which you can copy and paste here.
Add To Your CSP Record

To simplify this tool and make it easy to use, some seldom used and advanced features have been omitted. If you have a need for these advanced features, you probably already know about it. You can read about them on the MDN Docs for CSP.

ValidBot can test your website

Test Your Website

Once you have made changes to your CSP header, type your domain name into the box below and run a free ValidBot Test to check if everything is correct. Look in the "Server" section of the report to see if you made all the changes correctly.

If you have implemented a strong Content Security Policy, your users will be protected from certain types of attacks. Obviously this is good for users, but it is also good for the repuation and liability of the website.