What is Content Security Policy (CSP) and why do I need it?

CSP is a security header that helps prevent XSS attacks, clickjacking, and data injection by controlling which resources (scripts, styles, images) can be loaded on your website. It's an essential security measure for modern web applications.

How do I generate a CSP header?

Use the visual builder to select allowed sources for scripts, styles, images, fonts, and other resources. The generator creates a CSP directive string that you can add to your website's HTTP headers or meta tags.

What's the difference between 'self' and '*' in CSP?

'self' allows resources only from the same origin (same protocol, domain, and port) as your page, providing strong security. '*' allows resources from any origin, which is convenient but less secure and should be avoided in production.

How do I test if my CSP is working correctly?

After implementing CSP, check your browser's console for CSP violation reports. The generator includes a testing mode that simulates resource loading to help identify potential issues before deploying to production.

Can I use CSP with inline scripts and styles?

Inline scripts and styles are blocked by default in strict CSP. You can use 'unsafe-inline' (not recommended) or better alternatives like nonces or hashes to allow specific inline content while maintaining security.

How do I generate a Content Security Policy header?

Pick a security preset like strict, moderate, or lenient, then adjust individual directives in the Directive Management panel; the tool keeps a `CSPPolicy` object with your choices. The preview card assembles these into a single header line by joining each directive\u0019s name and sources, prefixed with either `Content-Security-Policy` or `Content-Security-Policy-Report-Only` depending on the Report Only toggle.

What should I include in a Content Security Policy?

The builder starts with common directives like `default-src`, `script-src`, `style-src`, `img-src`, and `connect-src`, and lets you add others from `DIRECTIVES_LIST` such as `frame-ancestors` or `form-action`. For each one you can combine keywords like `'self'`, `'none'`, `'unsafe-inline'`, `https:`, or `data:` and custom domains discovered by the Resource Discovery scanner, which extracts hostnames from pasted HTML, logs, or uploaded files.

How can I test my Content Security Policy rules?

The generator itself doesn\u0019t run live requests, but it gives you a raw header string and a Security Health panel that marks each directive as Strong, Balanced, or Relaxed based on heuristics like the presence of `*` or `'unsafe-inline'`. You can copy the header from the preview and apply it in your server or meta tags, then iterate by tightening sources or moving from Report Only to enforcing mode once the page still loads correctly.

Can AI help audit or suggest improvements to my CSP?

Yes, the Run AI Security Audit button sends the current `CSPPolicy` to the `csp-generator` backend via `geminiService.executeGemini`, which returns an `AIAuditResult` with a numeric score, a summary, and a list of vulnerabilities each with severity, message, and fix text. The AIAuditor component visualizes this as a progress bar and per-issue cards with concrete recommendations you can apply by editing directives in the builder.

Does this CSP generator support copying headers and meta tags?

The Preview panel shows the full header line and provides a Copy button that writes it to your clipboard, as well as an Export action that downloads it as a `.txt` file. You can then paste that value into an HTTP `Content-Security-Policy` header, or adapt the same directive string into a meta CSP tag in your HTML if you prefer meta-based deployment.

CSP Generator | ToolGrid.io - Free Online Tools

Tool Overview

This free online Content Security Policy generator (CSP generator) creates CSP headers for websites. CSP is a security feature that controls which resources a website can load. This tool works as a browser-based CSP header generator that helps you build, customize, and test CSP policies without writing code manually.

Websites face security threats like cross-site scripting attacks, clickjacking, and data injection. These attacks happen when malicious code runs on your site or when attackers trick users into clicking harmful links. CSP prevents these attacks by blocking unauthorized resources. The problem is that CSP syntax is complex. You must list every allowed source for scripts, styles, images, fonts, and more. One mistake can break your site or leave security gaps.

This tool is for website developers, security professionals, and site administrators who want an online tool to create Content Security Policy headers without memorizing every directive. Beginners can use presets to get started quickly. Technical users can fine-tune policies for their specific needs. Professionals can audit existing policies and optimize them for better security. A related operation involves checking security headers as part of a similar workflow.

Background & Concept Explanation

Content Security Policy is a browser security feature. It tells browsers which sources are allowed to load resources on your page. Resources include JavaScript files, CSS stylesheets, images, fonts, and data connections. CSP works by blocking everything by default, then allowing only sources you explicitly permit.

CSP uses directives to control different resource types. Each directive has a name like script-src or style-src. Each directive lists allowed sources. Sources can be domains like example.com, special keywords like 'self' for same origin, or wildcards like https: for all HTTPS sites. The browser checks each resource request against these rules. If a resource comes from an unlisted source, the browser blocks it. For adjacent tasks, checking HTTP headers addresses a complementary step.

CSP can run in two modes. Enforce mode blocks violations immediately. Report-only mode logs violations but does not block them. Report-only mode is useful for testing. You can see what would be blocked without breaking your site. Once you fix all issues, you switch to enforce mode.

People struggle with CSP for several reasons. They do not know which domains their site uses. They forget about third-party scripts, fonts, or analytics. They use inline scripts and styles, which CSP blocks by default. They create policies that are too strict and break functionality. Or they create policies that are too loose and provide little protection. When working with related formats, generating secure passwords can be a useful part of the process.

This tool solves these problems with a visual builder. You select security presets to start. You add or remove directives as needed. You configure allowed sources for each directive. The tool shows a live preview of your policy. It can scan your code to find domains automatically. It can audit your policy for security issues.

Key Features

Security presets: Choose from strict, moderate, or lenient starting configurations. Strict blocks most resources for maximum security. Moderate allows common patterns like inline styles. Lenient allows almost everything for compatibility. This matters because it lets you start quickly without building from scratch.
Visual directive builder: Add, remove, and configure CSP directives through a user-friendly interface. Each directive shows its purpose and current allowed sources. This matters because you can see your entire policy at a glance and make changes easily.
Source management: For each directive, toggle common sources like 'self', 'none', 'unsafe-inline', 'unsafe-eval', https:, and data:. You can also add custom domains manually. This matters because it covers the most common use cases while still allowing full customization.
Resource scanner: Paste HTML code, server logs, or URL lists. The tool extracts domains automatically and suggests them as allowed sources. This matters because it helps you discover all domains your site uses without manual searching.
Real-time preview: See your complete CSP header string as you make changes. The preview shows the exact text you need to add to your HTTP headers or meta tags. This matters because you can copy the policy directly without formatting it yourself.
Security health indicators: Each directive shows a safety rating. Secure means strong protection. Balanced means moderate security. Relaxed means weaker protection. This matters because it helps you understand the security level of your policy at a glance.
Report-only mode toggle: Switch between enforce and report-only modes with one click. This matters because you can test policies safely before deploying them to production.
AI-powered security audit: An optional feature analyzes your policy and provides a security score. It identifies vulnerabilities, explains risks, and suggests fixes. This matters because it catches issues you might miss and helps improve your security posture.
Copy and export: Copy your CSP string to the clipboard or download it as a text file. This matters because you can quickly deploy the policy to your server or share it with your team.
Input validation: The tool validates domains and source strings before adding them. It checks file sizes when uploading content for scanning. Maximum size is 1MB or 500,000 characters. This matters because it prevents errors and keeps the tool responsive.

Common Use Cases

Use this tool in these situations: In some workflows, generating passkeys is a relevant follow-up operation.

Securing a new website: Generate a strict CSP policy from scratch. Use the resource scanner to find all domains your site needs. Add them to the appropriate directives.
Fixing CSP violations: If your browser console shows CSP errors, use the tool to update your policy. Add the missing domains to the correct directives.
Auditing existing policies: Paste your current CSP header into the builder. Use the AI audit to find security weaknesses and get improvement suggestions.
Testing before deployment: Build your policy in report-only mode. Deploy it and check for violations. Fix issues, then switch to enforce mode.
Learning CSP syntax: Use the visual builder to understand how directives work. See how changes affect the final header string.
Migrating to stricter policies: Start with a lenient preset, then gradually tighten rules. Use the security health indicators to track your progress.
Documenting security policies: Export your CSP policy as a text file. Share it with your team or include it in security documentation.

How to Use This Tool (Step-by-Step)

Open the tool and look at the Security Presets section at the top. Choose strict for maximum security, moderate for balanced protection, or lenient for compatibility.
If you have code or logs with domain references, use the Resource Discovery section. Paste your content or upload a file. Click Extract Domains to find all domains automatically.
Review the Directive Management section. You will see a list of CSP directives with their allowed sources. Each directive controls a different resource type.
For each directive, toggle sources using the preset buttons. Click 'self' to allow same-origin resources. Click 'none' to block everything. Click other presets as needed.
To add custom domains, type them in the input field and press Enter. You can also click suggested domains from the resource scanner results.
To add more directives, click Add Directive at the bottom. Select a directive from the menu. New directives start with 'self' as the only allowed source.
To remove a directive, hover over it and click the trash icon. Be careful not to remove essential directives like default-src.
Check the Policy Preview panel on the right. It shows your complete CSP header string. Review the security health indicators for each directive.
Toggle Report Only mode if you want to test without blocking. This is recommended for initial testing. Switch to enforce mode when you are ready for production.
Click the Copy button to copy your CSP string to the clipboard. Or click Export to download it as a file. Add the string to your HTTP headers or meta tags.
For deeper analysis, click Run AI Security Audit. Wait for the analysis to complete. Review the security score and vulnerability suggestions. Make improvements based on the recommendations.

Calculations & Logic

This tool performs text generation and validation, not numeric calculations.

The CSP string generation works by combining directives. Each directive is formatted as "directive-name source1 source2 source3". Multiple directives are joined with semicolons and spaces. The header name depends on report-only mode. Enforce mode uses "Content-Security-Policy". Report-only mode uses "Content-Security-Policy-Report-Only". For related processing needs, generating MD5 hashes handles a complementary task.

Source validation checks if a source string is valid. It accepts special keywords like 'self', 'none', 'unsafe-inline', 'unsafe-eval', 'strict-dynamic', and 'wasm-unsafe-eval'. It accepts protocol schemes like https: and data:. It accepts domain names matching standard domain patterns. It accepts wildcard domains like *.example.com. It accepts the universal wildcard *.

The resource scanner uses regular expressions to find URLs and domains in text. It extracts domains from URLs, counts occurrences, and categorizes them by type. It limits results to 50 domains to prevent UI issues. It normalizes domains to lowercase and removes protocol prefixes.

Security health assessment uses simple heuristics. A directive is marked secure if it only allows 'self'. It is marked at-risk if it includes 'unsafe-inline' or '*'. Otherwise it is marked moderate. This is a visual guide, not a comprehensive security analysis.

The AI audit sends your policy to a backend service for analysis. The service evaluates security risks, checks for common mistakes, and provides recommendations. Results include a numeric security score and a list of vulnerabilities with severity levels and fix suggestions.

Reference Tables or Scales

Directive	What it controls	Common sources
default-src	Fallback for other fetch directives	'self', 'none', https:
script-src	JavaScript files and inline scripts	'self', 'unsafe-inline', specific CDN domains
style-src	CSS stylesheets and inline styles	'self', 'unsafe-inline', font CDNs
img-src	Images and image data	'self', data:, image CDN domains
connect-src	AJAX requests and WebSocket connections	'self', API domains, analytics domains
font-src	Web fonts	'self', font CDN domains, data:
object-src	Plugins like Flash or Java applets	'none' (recommended)
media-src	Audio and video files	'self', media CDN domains
frame-src	Iframe embeds	'self', trusted embed domains
worker-src	Web Workers and Service Workers	'self', blob:, specific worker domains
manifest-src	Web app manifest files	'self'
base-uri	Base element URLs	'self', 'none'
form-action	Form submission targets	'self', specific form handler domains
frame-ancestors	Which sites can embed your page	'none', 'self', trusted parent domains

Tips, Limitations & Best Practices

Start with report-only mode: Deploy your policy in report-only mode first. Check browser console for violations. Fix issues, then switch to enforce mode. This prevents breaking your site.
Use the resource scanner: Before building your policy, scan your HTML, JavaScript, and CSS files. This helps you find all domains your site uses. Add them to the appropriate directives.
Avoid 'unsafe-inline' when possible: Inline scripts and styles are security risks. Use nonces or hashes instead. Only use 'unsafe-inline' if you cannot refactor your code.
Set object-src to 'none': Plugins are rarely needed on modern websites. Blocking them reduces attack surface. Add this directive explicitly even if default-src covers it.
Be specific with domains: Instead of allowing all HTTPS sites with https:, list specific domains. This provides better security and makes policies easier to audit.
Test thoroughly: After deploying CSP, test all functionality. Check forms, images, scripts, styles, and third-party integrations. Fix any blocked resources.
Use the AI audit regularly: Run the security audit when you make changes. It helps you catch mistakes and improve your policy over time.
Document your policy: Export your CSP policy and keep it in version control. Document why each domain is allowed. This helps with maintenance and audits.
Monitor violations: Set up CSP violation reporting. Use a reporting endpoint to track blocked resources. This helps you identify issues in production.
Limitations of the tool: The tool generates CSP headers but does not deploy them. You must add the header to your server configuration or HTML meta tags yourself. The resource scanner may miss some domains if they are dynamically generated. Always verify manually.
Browser compatibility: CSP is supported in all modern browsers. Older browsers ignore CSP headers. This means CSP provides defense in depth but should not be your only security measure.
AI audit requires internet: The AI audit feature calls a backend service. It will not work offline. If the audit fails, check your connection and try again.

Security Presets

Resource Discovery

Directive Management

default-srcFallback for other fetch directives.

script-srcDefines valid sources for JavaScript.

style-srcDefines valid sources for stylesheets.

img-srcDefines valid sources for images.

connect-srcRestricts URLs which can be loaded using script interfaces.

object-srcDefines valid sources for plugins.

base-uriRestricts the URLs which can be used in a document's <base> element.

form-actionRestricts the URLs which can be used as the target of a form submission.

frame-ancestorsSpecifies valid parents that may embed a page.

Policy Preview

Security Health

Deployment Ready

CSP Generator