CSP Builder & Validator
Build and validate Content Security Policy headers privately in your browser.
Build and validate Content Security Policy headers locally
Create a policy, validate an existing one, and preview framework snippets without sending anything to a server.
A valid CSP can still be too permissive or break legitimate site functionality. Test with Report-Only mode before enforcing it in production.
default-src
Fallback source list applied when a more specific directive is not set.
script-src
Controls which scripts may execute, including inline, external and trusted script sources.
style-src
Controls which stylesheets and style sources may load or execute.
img-src
Controls images, favicons and other image-like resources.
font-src
Controls web fonts and font files.
connect-src
Controls fetch, XHR, WebSocket and similar network connections.
frame-src
Controls frames and iframes that the page may embed.
object-src
Controls plugin and legacy object/embed content.
base-uri
Controls the document base URL and helps prevent base-tag injection.
form-action
Controls which endpoints forms may submit to.
frame-ancestors
Controls which sites may embed this page in a frame.
worker-src
Controls workers and service-worker-like execution contexts.
media-src
Controls audio and video resource loading.
manifest-src
Controls web app manifest loading.
Generated policy output
WaitingBuild or validate a policy to see the output here.
Validation results
Risk warnings
Review these carefully before using a policy in production.