What is a Content Security Policy?

A Content Security Policy (CSP) is an HTTP response header that tells browsers which sources are allowed to load resources on your page — scripts, styles, images, fonts, iframes, and more. It's the primary defence against cross-site scripting (XSS) attacks and data injection.

How do I add a CSP to my website?

Generate your policy using this tool, then add it as a response header in your web server config. For Nginx: add_header Content-Security-Policy "your-policy" always; For Apache: Header always set Content-Security-Policy "your-policy" — the tool provides ready-to-paste snippets for both.

What does 'unsafe-inline' mean in a CSP?

'unsafe-inline' allows inline JavaScript ( tags and onclick attributes) and inline CSS ( tags and style attributes). While convenient, it significantly weakens XSS protection. The secure alternative is to use nonces (script-src 'nonce-abc123') or hash-based allowlisting.

Should I use the strict or moderate preset?

Start with Strict if you're building a new site — it's the most secure and forces good practices. Use Moderate if you have an existing site with inline scripts or third-party resources you can't immediately remove. WordPress sites typically need the WordPress preset due to the admin interface's use of inline scripts.

⚙️ CSP Generator

CSP Generator

Build a Content Security Policy header visually. Select sources per directive, add custom domains, and copy the ready-to-use header or server config snippet.

🚀 Quick Presets

Start from a common configuration

Presets are starting points — always review and customise for your site.

Content-Security-Policy

Configure directives on the left to generate your CSP header.

Server Config Snippet

Generate a CSP above to see the snippet.

Frequently Asked Questions

CSP Generator

Frequently Asked Questions

Related Tools