CSP Generator

Build a Content-Security-Policy header or <meta> tag by toggling directives and typing source lists. The validator flags unsupported keywords, points out 'unsafe-inline' and 'unsafe-eval' in script sources, and reminds you to add the recommended directives (default-src, object-src, base-uri, form-action, frame-ancestors). Quick-insert for nonces and inline-script hashes. Everything runs in your browser.

Parse an existing CSP

Directives

Header value

 

Validation

Quick-insert

Click to insert a fresh nonce into the source list of the currently-focused directive input (or the first enabled directive if none is focused).

Paste an inline script below, then click "Insert hash" to add the 'sha256-…' source to the focused directive.