CSP Generator
Generate Content Security Policy headers
Generate Content Security Policy headers
Fallback for other directives
Valid sources for JavaScript
Valid sources for stylesheets
Valid sources for images
Valid sources for fonts
Valid sources for fetch, XHR, WebSocket
Valid sources for audio and video
Valid sources for plugins
Valid sources for iframes
Valid parents that can embed this page
Valid URLs for <base> element
Valid targets for form submissions
Security Issues
Output
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'self'
Meta Tag
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'self'">
Report-Only Header (for testing)
Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'self'