Automatic CSP Generator

Generate Content Security Policy headers for your website. Protect against XSS, clickjacking, and other injection attacks.

Enter a URL to scan with a real browser and generate a CSP policy.

Enter a URL to analyze

We'll scan your website with a real browser to discover all scripts, styles, and external resources needed for your Content Security Policy.

What we detect:

  • External scripts & styles
  • Third-party resources
  • Inline code usage

What you get:

  • Ready-to-use CSP header
  • Security header audit
  • Implementation guidance

What is Content Security Policy?

Content Security Policy (CSP) is a security standard that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks. It works by specifying which sources of content browsers should trust and execute.

When a browser loads your page, it checks each resource (scripts, styles, images, fonts, etc.) against your CSP rules. Resources that don’t match an approved source are blocked, preventing malicious code from executing even if an attacker manages to inject it into your page.

How CSP works

CSP is delivered as an HTTP response header:

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com

This example policy:

  • Allows resources from the same origin ('self') by default
  • Only allows scripts from the same origin and cdn.example.com
  • Blocks inline scripts unless explicitly allowed

Common CSP directives

default-src - Fallback for all resource types not explicitly specified.

script-src - Controls which scripts can execute. Critical for preventing XSS.

style-src - Controls which stylesheets can be applied.

img-src - Controls which images can be loaded.

font-src - Controls which fonts can be loaded.

connect-src - Controls which URLs can be accessed via fetch, XMLHttpRequest, and WebSocket.

frame-src - Controls which URLs can be embedded in iframes.

frame-ancestors - Controls which sites can embed your page in an iframe (clickjacking protection).

form-action - Controls where forms can submit data.

base-uri - Restricts URLs that can appear in the <base> element.

Special source values

  • 'self' - Same origin as the document
  • 'none' - Block all sources
  • 'unsafe-inline' - Allow inline scripts/styles (reduces security)
  • 'unsafe-eval' - Allow eval() and similar (reduces security)
  • 'strict-dynamic' - Trust scripts loaded by already-trusted scripts
  • 'nonce-{value}' - Allow specific inline scripts with matching nonce
  • 'sha256-{hash}' - Allow inline scripts matching the hash

Implementing CSP

Start with report-only mode - Use Content-Security-Policy-Report-Only to test your policy without breaking anything. Monitor the reports to identify legitimate resources being blocked.

Be specific - Avoid 'unsafe-inline' and 'unsafe-eval' where possible. Use nonces or hashes for inline scripts you control.

Iterate - CSP implementation is often iterative. Start restrictive, monitor reports, and adjust as needed.

How to deploy CSP with QuantCDN

You can add CSP headers to your site using Page Rules. Create a rule that matches your pages and adds the Content-Security-Policy header with your generated policy.

How this tool works

Use the generator above to build a CSP policy by selecting which sources to allow for each directive. The tool outputs a ready-to-use header value that you can add to your server configuration or QuantCDN Page Rules.