Yoryantra
← Back to Tools

CSP Policy Builder

Build Content Security Policy headers, configure CSP directives, add trusted sources, and copy production-ready security header output directly in your browser.

Policy Setup

Choose a starting preset, then customize directives and trusted sources. Start with report-only mode when testing a new CSP on a live website.

10 directives enabled

Trusted Source Shortcuts

Add common trusted source groups quickly, then review each directive below. Avoid broad sources unless your site truly needs them.

Enabled

Add space-separated hosts, schemes, hashes, nonces, or CSP keywords for this directive.

Enabled

Add space-separated hosts, schemes, hashes, nonces, or CSP keywords for this directive.

Enabled

Add space-separated hosts, schemes, hashes, nonces, or CSP keywords for this directive.

Enabled

Add space-separated hosts, schemes, hashes, nonces, or CSP keywords for this directive.

Enabled

Add space-separated hosts, schemes, hashes, nonces, or CSP keywords for this directive.

Enabled

Add space-separated hosts, schemes, hashes, nonces, or CSP keywords for this directive.

Disabled
Enabled

Add space-separated hosts, schemes, hashes, nonces, or CSP keywords for this directive.

Disabled
Enabled

Add space-separated hosts, schemes, hashes, nonces, or CSP keywords for this directive.

Enabled

Add space-separated hosts, schemes, hashes, nonces, or CSP keywords for this directive.

Enabled

Add space-separated hosts, schemes, hashes, nonces, or CSP keywords for this directive.

Disabled
Disabled
Disabled

Reporting Options

Reporting endpoints help test policies safely. Report-only mode is usually better while discovering what your site needs.

Generated CSP Output

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests
CSP policy generation happens directly in your browser. Your sources, endpoints, and policy values are not uploaded to a server.

Building Content Security Policy Headers Safely

Content Security Policy is a browser security layer that helps limit where scripts, styles, images, fonts, frames, and network requests can load from. A well-planned CSP can reduce the impact of cross-site scripting, injection bugs, unexpected third-party resources, and risky page embedding.

This CSP Policy Builder gives you a practical way to assemble a policy directive by directive. You can start with a balanced preset, add trusted sources, generate report-only headers for testing, and copy output for HTTP headers, meta tags, Nginx, Apache, or JSON documentation.

Creating a CSP Without Guessing Every Directive

  1. Choose a strict, balanced, or compatibility preset.
  2. Enable the directives your site needs.
  3. Add trusted sources for scripts, styles, images, fonts, and connections.
  4. Use report-only mode while testing on a live website.
  5. Copy the generated CSP output and review browser reports before enforcing the final policy.

Common CSP Policy Builder Use Cases

  • Creating a first CSP header for a new website or app.
  • Testing stricter CSP rules in report-only mode.
  • Documenting approved third-party script, image, and API sources.
  • Reducing risky inline scripts and broad wildcard permissions.
  • Preparing Nginx or Apache header snippets for deployment.
  • Reviewing CSP directives while debugging blocked browser resources.

Example Content Security Policy

default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'

Why Report-Only Mode Matters

A strict CSP can accidentally block scripts, styles, API calls, images, analytics, payment widgets, or embedded content if the policy does not include the correct sources. Report-only mode lets browsers send violation reports without enforcing the policy.

For production sites, it is safer to test in report-only mode, review browser console messages and reporting data, then gradually enforce a policy once you understand which sources are required.

Frequently Asked Questions

What is a CSP policy?

A Content Security Policy is a browser security policy that tells the browser which sources are allowed for scripts, styles, images, fonts, connections, frames, and other page resources.

Should I use enforce mode or report-only mode?

Use report-only mode while testing a new or changed CSP. Use enforce mode once you have reviewed violations and confirmed that important site features are not blocked.

Is unsafe-inline recommended?

It is usually better to avoid unsafe-inline when possible. Some older sites need it temporarily, but nonces, hashes, and moving inline code into separate files are safer long-term options.

Can I use a CSP meta tag?

A meta tag can work for some CSP directives, but HTTP headers are generally preferred and support more complete behavior. Use the meta output only when a header is not available.

Does this tool validate every browser behavior?

No. It helps build a policy, but you should test the generated CSP in your browser, review console messages, and check your production monitoring before enforcing a strict policy.

Are my sources uploaded anywhere?

No. The policy is built directly in your browser, and your source values are not uploaded to a server.