logo
GeekFormat

CSP Generator

Policy Templates

Start by choosing a template, then fine-tune directives based on your business needs for better efficiency.

Directive Editor

Edit directives line by line. Supports add, delete, and quick source insertion.

Output Result

Content-Security-Policy
HTTP Header
Content-Security-Policy: default-src 'self'; script-src 'self' https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; connect-src 'self' https:; frame-ancestors 'self'
HTML Meta
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; connect-src 'self' https:; frame-ancestors 'self'">

Risk Warning

Contains 'unsafe-inline', which reduces XSS protection.
Recommend explicitly setting object-src 'none'.

Generate CSP online, get source rules right first.

Related

HSTS Analyzer

MX Lookup

IPv6 Toolbox

IPv4 Range Expander

Meta Tag Generator

Cron Expression Generator

Use Cases

  • Generate a practical CSP before site launch to reduce script injection and third-party resource risks
  • Set frame-ancestors to 'none' in admin panels to prevent pages from being embedded in phishing sites
  • Switch to development preset templates allowing http:, ws:, 'unsafe-inline', and 'unsafe-eval' in dev environments
  • Generate directly deployable CSP response headers and meta tags for Nginx, Cloudflare, or backend services

Features

  • Source rules configured by resource type: Scripts, styles, images, and API endpoints kept separate
  • Launch with confidence: Start with a baseline CSP, then tighten policies gradually
  • Avoid whitelist pitfalls: Reduce common errors like missing sources, forgotten semicolons, and conflicting rules
  • Ready to deploy: Generated CSP suitable for server, CDN, or security gateway configuration

How to Use

  1. 1.Choose a preset template (strict production, balanced recommendation, or development local) or manually add directive lines
  2. 2.Edit source values for each directive, use quick source buttons to add 'self', https: and other tokens
  3. 3.Toggle Report-Only mode, view auto-generated HTTP response headers and HTML meta tags
  4. 4.Review risk warning list, copy CSP content for server configuration or page head tags

FAQ

What problem does CSP primarily solve?

CSP restricts which scripts, styles, images, APIs, and iframes a page can load, serving as a critical layer in frontend security baselines.

What are the most common CSP configuration mistakes?

Common issues include incorrect whitelists, missing CDN domains, accidentally blocking inline scripts or styles, and inconsistent sources between test and production environments. The generator helps you construct rules faster.

Is it suitable for Nginx, Cloudflare, or backend response header configuration?

Yes. Generated CSP content can be directly copied into Nginx, Apache, Node.js, Java, Cloudflare, or other security response header configurations.

Is this tool suitable for pre-launch website security configuration?

Absolutely. It helps developers and ops quickly generate baseline CSP rules before launch, reducing omissions and format errors from manual policy writing.