Content-Security-Policy Header Generator

Build a Content-Security-Policy header directive by directive, with source chips and copy-ready meta, nginx, and Apache snippets. Everything runs in your browser.

The CSP Generator runs entirely in your browser. The directives, hosts, and schemes you enter to build your Content-Security-Policy never leave your device and are not uploaded to ArrayKit.

Open the Cache-Control Header Generator

About CSP Header Generator

The CSP Generator builds a Content-Security-Policy header one directive at a time. Fill in default-src, script-src, style-src, img-src, connect-src, font-src, frame-src, and more by clicking source chips like 'self', 'none', 'unsafe-inline', data:, and https:, or by typing custom hosts such as cdn.example.com. Keyword sources are single-quoted for you while hosts and schemes stay bare, so the policy is always valid. Empty directives are dropped automatically and everything is emitted in canonical order. Flip the report-only toggle to test a policy in monitor mode before you enforce it, then copy the raw header, an HTML meta tag, or ready-to-paste nginx and Apache snippets. Built for developers hardening a site against XSS and clickjacking, right in the browser — the policy you build never leaves your device.

Features

How to use the CSP Header Generator

  1. Click source chips or type a host to add sources to each directive you need
  2. Leave directives you do not want empty — they are dropped from the output
  3. Toggle Report-Only if you want to monitor violations before enforcing
  4. Copy the Content-Security-Policy header value or the meta, nginx, or Apache snippet

Example

Input

default-src: 'self'
script-src: 'self' https:
img-src: 'self' data:
object-src: 'none'

Output

Content-Security-Policy: default-src 'self'; script-src 'self' https:; img-src 'self' data:; object-src 'none'

Keywords like 'self' are quoted; schemes such as https: and data: stay bare.

Common errors & troubleshooting

Frequently asked questions

What does this CSP generator produce?
It builds a full Content-Security-Policy header value from the directives and sources you choose, then gives you the raw header, an HTML meta tag, and nginx and Apache add_header snippets you can paste into your config.
Which CSP sources get single quotes and which do not?
Keyword sources like 'self', 'none', 'unsafe-inline', 'unsafe-eval', and 'strict-dynamic', plus nonces and hashes, are single-quoted. Hosts and schemes such as https:, data:, and cdn.example.com are left bare. The tool quotes them correctly for you.
What is the report-only toggle for?
It switches the header name to Content-Security-Policy-Report-Only, which reports violations without blocking anything. Use it to stage a new policy on a live site and watch the console before you enforce it.
Can I deliver the whole policy as a CSP meta tag?
Mostly, yes — the tool emits a <meta http-equiv> tag for the enforcing policy. But frame-ancestors, report-uri, report-to, and sandbox are ignored in a meta tag, so use the HTTP header snippet when your policy relies on them.
Why does the header leave out directives I did not fill in?
Directives with no sources are dropped so the output stays clean and valid. default-src acts as the fallback for any fetch directive you leave empty, so you only need to override the ones that differ.
Does building the CSP header send my hosts anywhere?
No. The CSP Generator runs entirely in your browser. The directives and hosts you enter stay on your device and are never uploaded to ArrayKit.

Related tools

All ArrayKit tools