What is Content Security Policy (CSP)?

Content Security Policy is an HTTP header that tells browsers which sources of content are allowed to load on your page. It's the most effective defense against cross-site scripting (XSS) attacks because it prevents browsers from executing injected scripts, even if an attacker finds an injection point in your application.

What does 'unsafe-inline' mean?

The 'unsafe-inline' keyword allows inline scripts and styles (like tags and onclick attributes) to execute. This significantly weakens CSP because most XSS attacks inject inline scripts. For scripts, use nonce-based ('nonce-abc123') or hash-based CSP instead. For styles, 'unsafe-inline' is sometimes necessary but should be avoided where possible.

Should I use 'unsafe-eval'?

Avoid 'unsafe-eval' whenever possible. It allows eval(), Function(), setTimeout('string'), and similar dynamic code execution — all of which are common XSS exploitation techniques. Some frameworks (like older Angular versions) require it, but modern frameworks work without it.

What is the default-src directive?

default-src is the fallback directive — if a specific directive like script-src or img-src isn't set, the browser uses default-src instead. Best practice is to set default-src to 'self' or 'none' and then explicitly allow sources for each content type you need.

How do I deploy a CSP without breaking my site?

Start with Content-Security-Policy-Report-Only instead of Content-Security-Policy. This logs violations without blocking content, so you can identify what would break. Fix violations, then switch to enforcement. Use a reporting endpoint (report-uri or report-to) to collect violations in production.

Free CSP Generator

Build a Content Security Policy header visually

Configure each CSP directive using dropdowns, then generate a production-ready Content-Security-Policy header with copy-paste code for Nginx, Apache, and HTML meta tags.

Question 1 of 9

default-src

Trusted by teams at

How it works

How CSP Generator works

Configure each directive

Select a value for each CSP directive using the dropdowns. Each directive controls which sources are allowed for a specific content type like scripts, styles, images, or frames.

Generate the header

Your selections are compiled into a valid Content-Security-Policy header string that you can copy directly into your server configuration, meta tag, or CDN settings.

Copy implementation code

Get ready-to-paste code snippets for Nginx, Apache, and HTML meta tags. Any unsafe directives are flagged with quick notes on how to tighten them.

Features

What CSP Generator checks

Visual directive builder

Configure nine key CSP directives through a simple interface instead of manually writing complex header strings. Reduces syntax errors and misconfiguration.

Detect unsafe-inline and unsafe-eval risks

Flags directives that use 'unsafe-inline' or 'unsafe-eval', which effectively disable CSP's XSS protection for those content types. Suggests nonce-based or hash-based alternatives.

Generate copy-paste header values

Produces a complete, properly formatted Content-Security-Policy header value ready for your Nginx, Apache, Cloudflare, or application-level configuration.

Flag unsafe directives

Warns about 'unsafe-inline', 'unsafe-eval', and wildcard sources that weaken XSS protection, with one-line fixes for each.

Multiple server formats

Get implementation code for Nginx (add_header), Apache (.htaccess), and HTML meta tags so you can deploy to any environment.

Use cases

Who should use the free CSP Generator

Web Developers

Build a Content Security Policy for your application from scratch without memorizing directive syntax. Start with a strict baseline and loosen only what's needed.

DevOps Engineers

Generate CSP headers for server configurations, CDN edge rules, or reverse proxy setups. Ensure consistent security policies across all environments.

Security Teams

Evaluate and improve existing CSP policies. Identify overly permissive directives that weaken your XSS protection and generate tighter replacements.

More tools

All free security tools

FAQ

Frequently asked questions

Everything you need to know about the free CSP Generator.

Go beyond CSP Generator

This free CSP Generator checks a handful of things. Maced's AI pentest checks thousands.

Get a full autonomous penetration test — including OWASP Top 10, authentication flaws, business logic errors, API security, and more — with a compliance-ready report in hours.

Start Pentest

Proof of exploit on every finding · SOC 2 & ISO 27001 compatible

Free CSP Generator

Build a Content Security Policy header visually

How CSP Generator works

Configure each directive

Generate the header

Copy implementation code

What CSP Generator checks

Visual directive builder

Detect unsafe-inline and unsafe-eval risks

Generate copy-paste header values

Flag unsafe directives

Multiple server formats

Who should use the free CSP Generator

Web Developers

DevOps Engineers

Security Teams

All free security tools

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questions

This free CSP Generator checks a handful of things. Maced's AI pentest checks thousands.

Free CSP Generatorself.__wrap_n!=1&&self.__wrap_b("_R_138dav5ubtpfl7b_",1)

Build a Content Security Policy header visuallyself.__wrap_n!=1&&self.__wrap_b("_R_158dav5ubtpfl7b_",1)

How CSP Generator worksself.__wrap_n!=1&&self.__wrap_b("_R_l5dav5ubtpfl7b_",1)

Configure each directiveself.__wrap_n!=1&&self.__wrap_b("_R_2j9dav5ubtpfl7b_",1)

Generate the headerself.__wrap_n!=1&&self.__wrap_b("_R_2l9dav5ubtpfl7b_",1)

Copy implementation codeself.__wrap_n!=1&&self.__wrap_b("_R_2n9dav5ubtpfl7b_",1)

What CSP Generator checksself.__wrap_n!=1&&self.__wrap_b("_R_l5lav5ubtpfl7b_",1)

Visual directive builderself.__wrap_n!=1&&self.__wrap_b("_R_339lav5ubtpfl7b_",1)

Detect unsafe-inline and unsafe-eval risksself.__wrap_n!=1&&self.__wrap_b("_R_359lav5ubtpfl7b_",1)

Generate copy-paste header valuesself.__wrap_n!=1&&self.__wrap_b("_R_379lav5ubtpfl7b_",1)

Flag unsafe directivesself.__wrap_n!=1&&self.__wrap_b("_R_399lav5ubtpfl7b_",1)

Multiple server formatsself.__wrap_n!=1&&self.__wrap_b("_R_3b9lav5ubtpfl7b_",1)

Who should use the free CSP Generatorself.__wrap_n!=1&&self.__wrap_b("_R_l5tav5ubtpfl7b_",1)

Web Developersself.__wrap_n!=1&&self.__wrap_b("_R_1j9tav5ubtpfl7b_",1)

DevOps Engineersself.__wrap_n!=1&&self.__wrap_b("_R_1l9tav5ubtpfl7b_",1)

Security Teamsself.__wrap_n!=1&&self.__wrap_b("_R_1n9tav5ubtpfl7b_",1)

All free security toolsself.__wrap_n!=1&&self.__wrap_b("_R_l65av5ubtpfl7b_",1)

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questionsself.__wrap_n!=1&&self.__wrap_b("_R_l6dav5ubtpfl7b_",1)

What is Content Security Policy (CSP)?

What does 'unsafe-inline' mean?

Should I use 'unsafe-eval'?

What is the default-src directive?

How do I deploy a CSP without breaking my site?

This free CSP Generator checks a handful of things. Maced's AI pentest checks thousands.self.__wrap_n!=1&&self.__wrap_b("_R_15alav5ubtpfl7b_",1)

Free CSP Generator

Build a Content Security Policy header visually

How CSP Generator works

Configure each directive

Generate the header

Copy implementation code

What CSP Generator checks

Visual directive builder

Detect unsafe-inline and unsafe-eval risks

Generate copy-paste header values

Flag unsafe directives

Multiple server formats

Who should use the free CSP Generator

Web Developers

DevOps Engineers

Security Teams

All free security tools

Frequently asked questions

This free CSP Generator checks a handful of things. Maced's AI pentest checks thousands.