CSP Generator
Tools on this domain use client-side only JavaScript. STS never sees, stores, or processes any of the information ourselves.Generate Content Security Policy headers to protect your website from XSS attacks and other code injection vulnerabilities.
default-src
Serves as a fallback for other fetch directives. Defines the default policy for loading content.
script-src
Defines valid sources for JavaScript. Controls script loading and execution.
⚠️ Using 'unsafe-inline' or 'unsafe-eval' reduces security. Consider using nonces or hashes instead.
style-src
Defines valid sources for CSS stylesheets and style elements.
img-src
Defines valid sources for images and favicons.
connect-src
Restricts URLs that can be loaded via XMLHttpRequest, WebSocket, fetch(), etc.
font-src
Defines valid sources for fonts loaded via @font-face.
frame-src
Defines valid sources for nested browsing contexts (iframe, embed, object).
upgrade-insecure-requests
Instructs browsers to upgrade all HTTP requests to HTTPS automatically.
block-all-mixed-content
Prevents loading any assets over HTTP when the page is served over HTTPS.
Quick Start Presets
Apply common CSP configurations for different types of websites. You can customize further after applying a preset.
Preset Descriptions
Strict Security: Maximum protection with minimal external resources allowed.
Balanced: Good security while allowing common external resources like CDNs and fonts.
Legacy Support: Compatible with older applications that may use inline scripts/styles.
Single Page App: Optimized for modern SPAs with API connections and dynamic content.
Generated Content Security Policy
Configure directives to generate your CSP policy...
Header format: Content-Security-Policy: [policy]
Meta tag format: <meta http-equiv="Content-Security-Policy" content="[policy]">
Meta tag format: <meta http-equiv="Content-Security-Policy" content="[policy]">
0 comments