CSP Header Generator

Build a Content-Security-Policy header by configuring each directive.

default-src

Fallback for other fetch directives

script-src

Valid sources for JavaScript

style-src

Valid sources for stylesheets

img-src

Valid sources for images

font-src

Valid sources for fonts

connect-src

Valid targets for fetch, XHR, WebSocket

frame-src

Valid sources for frames/iframes

object-src

Valid sources for <object>, <embed>

media-src

Valid sources for audio/video

base-uri

Valid URLs for the <base> element

form-action

Valid endpoints for form submissions

frame-ancestors

Who can embed this page in a frame

'self''none''unsafe-inline''unsafe-eval'https:data:blob:

Add upgrade-insecure-requests

Content-Security-Policy: default-src 'self'; upgrade-insecure-requests