Loading...
Loading...
We use cookies to enhance your experience, analyze site usage, and serve personalized content. By clicking "Accept All," you consent to our use of cookies. See our Cookie Policy and Privacy Policy for details.
Generate Content Security Policy headers with visual builder
A visual Content Security Policy builder that generates CSP headers through an interactive directive editor. Features include a nonce generator for inline scripts/styles, presets for common environments (Strict CSP, WordPress, React/SPA), toggling between meta tag and HTTP header output formats, report-uri/report-to configuration, directives search/filter, and download of the final policy as a text file.
CSP is one of the most effective defenses against XSS, but writing a correct policy manually is complex and error-prone. A visual builder helps developers craft policies that are both secure and functional by guiding them through each directive with clear descriptions.
Security engineers configuring web application defenses, full-stack developers deploying CSP, DevOps engineers adding security headers, and compliance teams documenting security controls.
Start with a preset (Strict, WordPress, React/SPA) or from scratch — directive editor lists all standard CSP directives
Add/remove directives using toggles — each has a description explaining what sources it controls
For each directive, specify allowed sources with autocomplete suggestions (self, domains, nonces, hashes, unsafe-inline, etc.)
Use nonce generator for cryptographically random nonces for inline script and style tags
Toggle between 'Meta Tag' and 'HTTP Header' — meta tags don't support frame-ancestors, sandbox, or report-to
Configure reporting with report-uri URL and optional report-to endpoint name
Download the completed policy as .txt or copy to clipboard — includes human-readable summary
Preset: React/SPA | Customize: Add GA => Output: "default-src 'self'; script-src 'self' https://www.googletagmanager.com 'nonce-abc123'; style-src 'self' 'nonce-abc123'; img-src 'self' https://www.google-analytics.com"Preset: Strict CSP | Meta Tag => Output: '<meta http-equiv="Content-Security-Policy" content="base-uri 'self'; default-src 'self'; script-src 'self' 'nonce-{NONCE}' 'strict-dynamic'">'report-uri is older and widely supported. report-to uses the Reporting API and needs a Report-To header.
Blocked unless using 'unsafe-hashes'. Recommended: use addEventListener in nonced scripts.
Yes, including 'strict-dynamic', 'unsafe-hashes', 'report-to', and worker-src.
Allows scripts loaded by an already-trusted script to execute, eliminating the need to list every CDN.
Decode and analyze JWT tokens online free
Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes for text and files
Generate JSON Web Tokens with custom claims and multiple algorithms
Generate JSON Schema from sample JSON data automatically
Dive deeper with our comprehensive guides and tutorials.