Utilko logo Utilko

CSP Header Generator

Visually build a Content-Security-Policy HTTP header. Enable directives like script-src, style-src, and img-src with checkboxes. Copy the generated header string.

Used 5.3K times today

default-srcFallback for all resource types
Common: 'self' 'none' 'unsafe-inline' 'unsafe-eval' https: data: *.example.com
script-srcJavaScript sources
Common: 'self' 'none' 'unsafe-inline' 'unsafe-eval' https: data: *.example.com
style-srcCSS sources
Common: 'self' 'none' 'unsafe-inline' 'unsafe-eval' https: data: *.example.com
img-srcImage sources
Common: 'self' 'none' 'unsafe-inline' 'unsafe-eval' https: data: *.example.com
font-srcFont sources
connect-srcAJAX, WebSocket sources
media-srcAudio and video sources
object-srcPlugin sources (Flash, etc.)
frame-srciframe sources
worker-srcWeb Worker sources
form-actionForm submission targets
upgrade-insecure-requestsUpgrade HTTP to HTTPS
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:

How to Use CSP Header Generator

  1. 1

    Enable directives

    Check the directives you want to include such as default-src, script-src, and style-src.

  2. 2

    Set source values

    Enter allowed sources for each directive, such as self, https:, or specific domains.

  3. 3

    Copy the header

    Copy the generated Content-Security-Policy header string for your web server configuration.

Frequently Asked Questions

What is a Content Security Policy?
A CSP is an HTTP response header that restricts which resources a browser can load, significantly reducing the risk of XSS attacks.
Should I start with strict-dynamic?
For modern apps, strict-dynamic with nonces is the most secure approach. For simpler sites, a basic default-src self policy is a good starting point.

Embed This Tool

Add this tool to your website for free. Just copy and paste the code below:

<iframe src="https://utilko.com/embed/csp-header-generator/" width="100%" height="500" frameborder="0" title="CSP Header Generator"></iframe>

About CSP Header Generator

The CSP Header Generator on Utilko provides a visual builder for Content-Security-Policy headers — one of the most effective HTTP security measures to prevent cross-site scripting attacks.

More Category Tools

Random MAC Address Generator

Generate random MAC addresses in colon, dash, or dot-separated format. Bulk generate up to 100 at a time. Fully random and locally generated.

Htpasswd Generator

Generate Apache .htpasswd password hashes online. Enter username and password to produce an MD5 or bcrypt htpasswd hash for basic HTTP authentication.

SSL Certificate Decoder

Paste a PEM SSL certificate and decode it to see subject, issuer, validity dates, Subject Alternative Names, and key type. Client-side decoding.

JWT Generator

Generate JSON Web Tokens for testing. Select algorithm (HS256, HS384, HS512), add payload claims, enter a test secret, and get a signed JWT. Not for production use.

WiFi Password Generator

Generate strong, secure WiFi passwords. Choose length, include numbers, symbols, and avoid ambiguous characters. Create WPA2-compatible passwords instantly.

IP Subnet Calculator

Calculate subnet information from IP address and CIDR notation. Get network address, broadcast address, usable host range, and total host count instantly.

Port Number Lookup

Look up common TCP and UDP port numbers and their associated services. Search by port number or service name. Includes well-known and registered ports.

MAC Address Lookup

Look up the manufacturer/vendor of any MAC address or OUI prefix. Enter a MAC address to identify the network adapter vendor from the IEEE OUI database.