Content-Security-Policy Header Generator
Ek Content-Security-Policy header ko directive by directive banayein, source chips aur copy-ready meta, nginx, aur Apache snippets ke saath. Sab kuch aapke browser mein chalta hai.
CSP Generator poori tarah aapke browser mein chalta hai. Jo directives, hosts, aur schemes aap apni Content-Security-Policy banane ke liye enter karte hain woh kabhi aapke device se bahar nahi jaate aur ArrayKit ko upload nahi hote.
Cache-Control Header Generator kholein
CSP Generator ke baare mein
CSP Generator ek Content-Security-Policy header ko ek baar mein ek directive banata hai. default-src, script-src, style-src, img-src, connect-src, font-src, frame-src, aur zyada ko 'self', 'none', 'unsafe-inline', data:, aur https: jaise source chips par click karke, ya cdn.example.com jaise custom hosts type karke bharein. Keyword sources aapke liye single-quoted hote hain jabki hosts aur schemes bare rehte hain, isliye policy hamesha valid hoti hai. Empty directives apne-aap drop ho jaati hain aur sab kuch canonical order mein emit hota hai. Enforce karne se pehle ek policy ko monitor mode mein test karne ke liye report-only toggle flip karein, phir raw header, ek HTML meta tag, ya ready-to-paste nginx aur Apache snippets copy karein. Ek site ko XSS aur clickjacking se harden karne wale developers ke liye bana, seedha browser mein — jo policy aap banate hain woh kabhi aapke device se bahar nahi jaati.
Features
- default-src, script-src, style-src, img-src, connect-src, font-src, frame-src, aur zyada ke liye per-directive editor
- Ek-click source chips: 'self', 'none', 'unsafe-inline', 'unsafe-eval', data:, https:, blob:, aur *
- Custom hosts aur schemes add karein; keywords single-quoted hote hain jabki hosts bare rehte hain
- Report-only toggle bina block kiye test karne ke liye Content-Security-Policy-Report-Only emit karta hai
- Directives canonically order hoti hain aur empty directives apne-aap drop ho jaati hain
- Raw header, ek HTML meta http-equiv tag, ya nginx aur Apache add_header snippets copy karein
- Ek directive ke andar duplicate sources aap jaise banate hain waise remove ho jaate hain
- Poori tarah aapke browser mein chalta hai — jo policy aap banate hain woh kabhi upload nahi hoti
CSP Generator kaise use karein
- Har directive mein sources add karne ke liye source chips par click karein ya ek host type karein
- Jo directives aap nahi chahte unhe empty chhod dein — woh output se drop ho jaati hain
- Agar aap enforce karne se pehle violations monitor karna chahte hain to Report-Only toggle karein
- Content-Security-Policy header value ya meta, nginx, ya Apache snippet copy karein
Example
Input
default-src: 'self'
script-src: 'self' https:
img-src: 'self' data:
object-src: 'none'
Output
Content-Security-Policy: default-src 'self'; script-src 'self' https:; img-src 'self' data:; object-src 'none'
'self' jaise keywords quoted hote hain; https: aur data: jaise schemes bare rehte hain.
Common errors aur troubleshooting
- Policy add karne ke baad browser 'Refused to load' errors report karta hai. — Us resource type ke liye ek source missing hai. Host ya scheme ko matching directive mein (ya fallback ke roop mein default-src mein) add karein aur header dobara banayein.
- Policy live hote hi inline scripts ya styles kaam karna band kar dete hain. — CSP inline code block karta hai jab tak aap use allow na karein. script-src ya style-src mein 'unsafe-inline' add karein, ya behtar, ek nonce ya hash source token par move karein.
- Response header kaam karte hue meta tag version ignore hota hai. — frame-ancestors, report-uri, aur sandbox jaise kuch directives sirf ek real HTTP header ke roop mein kaam karte hain, ek <meta> tag mein nahi. Unke liye header snippet prefer karein.
- Report-Only mode sirf log karne ke bajaye requests block kar raha hai. — Header name check karein. Enforcement Content-Security-Policy use karta hai; monitoring Content-Security-Policy-Report-Only use karti hai. Toggle aapke liye name switch karta hai.
Aksar pooche jaane wale sawaal
- Yeh CSP generator kya produce karta hai?
- Yeh aapke chune directives aur sources se ek poora Content-Security-Policy header value banata hai, phir aapko raw header, ek HTML meta tag, aur nginx aur Apache add_header snippets deta hai jise aap apne config mein paste kar sakte hain.
- Kaunse CSP sources ko single quotes milte hain aur kaunse ko nahi?
- 'self', 'none', 'unsafe-inline', 'unsafe-eval', aur 'strict-dynamic' jaise keyword sources, plus nonces aur hashes, single-quoted hote hain. https:, data:, aur cdn.example.com jaise hosts aur schemes bare chhode jaate hain. Tool aapke liye unhe sahi quote karta hai.
- Report-only toggle kis liye hai?
- Yeh header name ko Content-Security-Policy-Report-Only par switch karta hai, jo bina kuch block kiye violations report karta hai. Ek naye policy ko ek live site par stage karne aur enforce karne se pehle console dekhne ke liye ise use karein.
- Kya main poori policy ek CSP meta tag ke roop mein deliver kar sakta hoon?
- Zyadatar, haan — tool enforcing policy ke liye ek <meta http-equiv> tag emit karta hai. Lekin frame-ancestors, report-uri, report-to, aur sandbox ek meta tag mein ignore hote hain, isliye jab aapki policy un par depend kare to HTTP header snippet use karein.
- Header un directives ko kyun chhod deta hai jo maine nahi bhari?
- Bina sources waali directives drop ho jaati hain taaki output clean aur valid rahe. default-src kisi bhi fetch directive ke liye fallback ke roop mein act karta hai jise aap empty chhodte hain, isliye aapko sirf unhi ko override karna hai jo alag hain.
- Kya CSP header banana mere hosts kahin bhejta hai?
- Nahi. CSP Generator poori tarah aapke browser mein chalta hai. Jo directives aur hosts aap enter karte hain woh aapke device par rehte hain aur kabhi ArrayKit ko upload nahi hote.
Related tools
Saare ArrayKit tools