Build Content-Security-Policy headers and meta tags with common directives, reporting options, and quick security warnings.
Ship the policy in report-only mode while you validate violations.
Tell the browser to rewrite HTTP subresource requests to HTTPS.
Reject insecure subresources that still slip through after HTTPS upgrades.
Optional. Add a reporting endpoint if you want browsers to send CSP violation reports.
Fallback rule for everything not covered by a more specific directive.
JavaScript sources, including third-party SDKs and CDNs.
Stylesheets and inline style allowances.
Images, favicons, and CSS background assets.
Fetch, XHR, WebSocket, EventSource, and beacon endpoints.
Font files loaded by the page.
Embedded objects and plugins. Lock this down unless required.
Controls which sites may embed this page in a frame.
Restricts where the document base URL may point.
Allowed form submission destinations.
Delivery
Enforced Header
Directives
11
Flags
1
Warnings
1
Configured Directives
Build a Content Security Policy header or meta tag without hand-writing every directive. This tool is useful when you are locking down scripts, styles, images, API endpoints, fonts, and framing rules for a web app.
Meta tags can deliver an enforced CSP, but they do not support report-only mode and they apply later than response headers. Prefer headers whenever you control the server or edge config.
All processing happens locally in your browser. Your data never leaves your computer, ensuring complete privacy and security.
Generate universally unique identifiers (UUIDs) in multiple versions and formats. Perfect for database keys, API identifiers, and unique resource naming.
Professional color picker tool with multiple format support, palette management, and advanced color manipulation features. Perfect for designers and developers.
Generate strong, secure passwords with customizable length and character sets. Cryptographically secure random generation for maximum security.