Skip to content
uxTools
Security & Crypto

CSP Generator

Full CSP Level 3 directive coverage, source-chip pills, nonce generator, in-browser SHA-256/384/512 hash helper, templates (strict, Stripe, Sentry, Google), analyzer for pasted policies with severity-graded issues, and snippets for Helmet / Next / Nginx / Apache / meta tag.

Templates

Start from a sensible baseline, then customize.

default-srcFallback for fetch directives that are not otherwise set.
'self'
script-srcSources for JavaScript (and other script-like) execution.

No sources yet. The directive will fall back to default-src.

Remember to forward the nonce to your <script nonce=…> tags.
script-src-elemSources allowed for <script> elements.

No sources yet. The directive will fall back to default-src.

Remember to forward the nonce to your <script nonce=…> tags.
script-src-attrSources allowed for inline event handlers like onclick.

No sources yet. The directive will fall back to default-src.

Remember to forward the nonce to your <script nonce=…> tags.
style-srcSources for stylesheets — <style>, <link rel=stylesheet>, etc.

No sources yet. The directive will fall back to default-src.

Remember to forward the nonce to your <script nonce=…> tags.
style-src-elemSources allowed for <style> and <link rel=stylesheet>.

No sources yet. The directive will fall back to default-src.

Remember to forward the nonce to your <script nonce=…> tags.
style-src-attrSources allowed for inline style attributes.

No sources yet. The directive will fall back to default-src.

Remember to forward the nonce to your <script nonce=…> tags.
img-srcSources for images, including favicons and srcset.

No sources yet. The directive will fall back to default-src.

font-srcSources for fonts loaded via @font-face.

No sources yet. The directive will fall back to default-src.

connect-srcEndpoints reachable via fetch, XHR, WebSocket, EventSource.

No sources yet. The directive will fall back to default-src.

media-srcSources for <audio>, <video> and <track>.

No sources yet. The directive will fall back to default-src.

object-srcSources for <object>, <embed> and <applet>. Use 'none'.
'none'
child-srcSources for web workers and nested frames. Replaced by worker-src + frame-src.

No sources yet. The directive will fall back to default-src.

frame-srcSources permitted inside <frame> and <iframe>.

No sources yet. The directive will fall back to default-src.

worker-srcSources for Worker, SharedWorker and ServiceWorker scripts.

No sources yet. The directive will fall back to default-src.

manifest-srcSources for the application manifest file.

No sources yet. The directive will fall back to default-src.

prefetch-srcSources for prefetched / prerendered resources (deprecated).

No sources yet. The directive will fall back to default-src.

base-uriAllowed values for the document's <base> element.
'self'
sandboxApplies sandbox restrictions to the document.

No sources yet. The directive will fall back to default-src.

Generated header

Drop this value into your origin server, edge or middleware.

105 BWithin typical header size budget.
Single-line
default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests
Pretty multi-line
default-src 'self';
object-src 'none';
base-uri 'self';
frame-ancestors 'self';
upgrade-insecure-requests

Policy review

0 severe · 0 warnings · 0 hints · 1 good

object-srcobject-src 'none' is set — legacy plug-in vectors are disabled.