All tools

Web

CSP builder

Build and audit a Content-Security-Policy header, directive by directive.

Directives

Local only — your policy stays in the browser and never appears in the URL.

Fill in some directives to generate a policy.

Security checklist

GoodWarningRisk
  • Warningobject-src

    Missing object-src and default-src: set object-src 'none' to block plugins.

  • Warningbase-uri

    Missing base-uri: set base-uri 'none' or 'self' to block base-tag injection.

  • Warningframe-ancestors

    Missing frame-ancestors: add frame-ancestors 'none'/'self' to prevent clickjacking.

  • Warningdefault-src

    Missing default-src: it is the fallback for fetch directives you did not set.