ZeroUtil

CSP Header Generator

Build Content-Security-Policy headers with a visual form, presets and per-directive configuration.

Presets:

How to Use the CSP Header Generator

Fill in the CSP directives you need for your website. Each directive controls what resources the browser is allowed to load. Use the preset buttons (Strict, Moderate) as a starting point, then customize individual directives. The generated Content-Security-Policy header string appears at the bottom — copy it and add it to your server configuration.

Common Directives

  • default-src — fallback for all resource types not explicitly specified
  • script-src — controls which scripts can execute
  • style-src — controls which stylesheets can be applied
  • img-src — controls which images can be loaded
  • connect-src — controls which URLs can be fetched via XHR, fetch, WebSocket
  • frame-src — controls which URLs can be embedded in iframes

Common Values

  • 'self' — allow resources from the same origin
  • 'none' — block all resources of this type
  • 'unsafe-inline' — allow inline scripts/styles (use with caution)
  • https: — allow resources from any HTTPS origin
  • data: — allow data: URIs (e.g., inline images)

Frequently Asked Questions

What is a Content Security Policy?

CSP is an HTTP response header that tells browsers which resources are allowed to load on your page. It prevents cross-site scripting (XSS), clickjacking, and other code injection attacks by restricting resource origins.

Where do I add the CSP header?

Add it as an HTTP response header in your web server configuration (Nginx, Apache, Cloudflare, etc.) or as a <meta> tag in your HTML <head>. Server-side headers are preferred as they cannot be bypassed.

What is the difference between Strict and Moderate presets?

Strict blocks everything except same-origin resources — good for maximum security. Moderate allows some common patterns like inline styles and HTTPS images — a practical starting point for most websites.

Will CSP break my website?

It can if your site loads resources from origins not included in your policy. Start with a report-only mode (Content-Security-Policy-Report-Only) to test before enforcing. Check your browser console for CSP violation reports.

Is my CSP policy sent to a server?

No. This tool runs entirely in your browser. The CSP header is generated client-side and nothing is transmitted to any server.

Ad

More Security & Privacy

Password Generator

Generate cryptographically secure random passwords with configurable length, character types and entropy display.

Open tool →

Password Strength Checker

Check password strength with entropy calculation, pattern detection and common password matching.

Open tool →

Security Hash Generator

Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes from text or files using the Web Crypto API.

Open tool →

TOTP Generator

Generate time-based one-time passwords (TOTP) from a base32 secret with live 30-second countdown.

Open tool →

AES Encrypt / Decrypt

Encrypt and decrypt text with AES-256-GCM and PBKDF2 key derivation, entirely in the browser.

Open tool →

RSA Key Generator

Generate RSA key pairs (2048 or 4096 bit) in PEM format using the Web Crypto API.

Open tool →