CSP Header Generator

Builds a Content-Security-Policy header from a checklist of allowed sources per directive: default-src, script-src, style-src, img-src, connect-src, frame-src, font-src, and a configurable subset of newer directives such as worker-src and form-action. Reporting endpoints can be attached.

Default output enforces 'self' for default-src and adds explicit allowlists for third parties. Inline scripts and styles require either nonce-based hashing or 'unsafe-inline', which weakens the policy substantially.

The directive system is a fall-through model. default-src acts as a fallback for any directive not explicitly set. Setting default-src to 'self' and then adding script-src 'self' https://cdn.jsdelivr.net allows scripts from the same origin and the CDN, while images, fonts, and frames all fall back to 'self'. This composition keeps headers compact for most sites: a typical page might set default-src, script-src, style-src, and img-src, leaving the rest to inherit.

Source expressions cover several categories. Origin-based: 'self' for same-origin, https://example.com for explicit hosts, https: for any HTTPS source. Schema-based: data: for data URIs, blob: for blob URIs. Special keywords: 'unsafe-inline' for inline scripts/styles, 'unsafe-eval' for eval/Function constructor, 'strict-dynamic' for trusted scripts that can load further scripts. Hash and nonce expressions allow specific inline content without 'unsafe-inline'.

A worked example for a static marketing site using Google Fonts and Stripe: default-src 'self'; script-src 'self' https://js.stripe.com; style-src 'self' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; img-src 'self' data:; frame-src https://js.stripe.com; base-uri 'self'; form-action 'self'. This policy blocks third-party scripts not on the allowlist, prevents inline script injection, and restricts form submission to the origin. Migrating to nonce-based inline scripts would replace 'self' in script-src with 'nonce-{random}' and 'strict-dynamic'.

Common mistakes the generator surfaces: 'unsafe-inline' in script-src defeats most XSS protection; missing frame-ancestors leaves clickjacking exposure (handled by X-Frame-Options as a fallback); missing base-uri allows attackers to redirect relative URLs by injecting a base tag; using https: as a script-src allows any HTTPS origin, which is too broad for production. The deployment recommendation is to ship in Content-Security-Policy-Report-Only first, monitor violations for a week, then flip to enforcement.