Generator

CSP Header Builder

Build a Content-Security-Policy header field-by-field with sensible defaults. Toggle report-only mode to test without enforcement.

default-src

script-src

style-src

img-src

font-src

connect-src

frame-src

media-src

object-src

base-uri

form-action

upgrade-insecure-requests

Report-only mode

Full header

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; object-src 'none'; base-uri 'self'; upgrade-insecure-requests

nginx

add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; object-src 'none'; base-uri 'self'; upgrade-insecure-requests" always;

Apache .htaccess

Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; object-src 'none'; base-uri 'self'; upgrade-insecure-requests"