browserutils

CSP Header Generator

Generate Content Security Policy headers

CSP Header Generator is a free online tool from BrowserUtils that generate content security policy headers. It runs entirely in your browser — your data never leaves your device. No account required.

'self''none''unsafe-inline''unsafe-eval'data:blob:https:*
Content-Security-Policy: default-src 'self'
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

Related guides

GlossaryWhat is CSP?

How to use CSP Header Generator

  1. 1 Paste or type your input into the editor above.
  2. 2 The tool processes your data instantly — right in your browser, with nothing sent to a server.
  3. 3 Copy the result with one click or continue editing your input.

About CSP Header Generator

Free online CSP header generator. Build Content-Security-Policy headers with a visual editor for web security. This tool runs entirely in your browser — your data is never sent to a server. Just paste your input, get instant results, and copy with one click. No sign-up or installation required.

CSP Header Generator specs

Runtime
100% client-side (browser)
Cost
Free — no account, no rate limits, no usage caps
Browser support
Chrome 90+, Firefox 88+, Safari 14+, Edge 90+
Part of
299 developer tools on BrowserUtils (100% client-side)

Questions

What is a Content Security Policy (CSP) header?
A CSP header is an HTTP response header that tells browsers which sources of content (scripts, styles, images, etc.) are allowed to load on your page. It is one of the most effective defenses against cross-site scripting (XSS) and data injection attacks.
How do I test a CSP header without breaking my site?
Use the Content-Security-Policy-Report-Only header first, which logs violations to a reporting endpoint without actually blocking anything. Once you have reviewed the reports and fixed any issues, switch to the enforcing Content-Security-Policy header.
What does the unsafe-inline directive mean in CSP?
The unsafe-inline directive allows inline scripts and styles to execute. This weakens CSP protection significantly because XSS attacks typically inject inline code. Use nonce-based or hash-based allowlisting instead whenever possible.
How do I add the generated CSP header to my server?
Copy the generated header string and add it to your server configuration. In Nginx use add_header, in Apache use Header set, and in Express.js use res.setHeader(). You can also set it via a meta tag in HTML, though the HTTP header approach is preferred.
Does the CSP header generator work offline?
Yes. The generator builds CSP header strings using client-side logic with no server calls, so it works without an internet connection once the page is loaded.
Embed this tool

Copy this code to embed the tool on your website. Adjust the height to fit your layout.

<iframe src="https://www.browserutils.dev/embed/csp-header-generator" width="100%" height="500" frameborder="0" title="CSP Header Generator"></iframe>

Related tools

robots.txt Generator
Generate robots.txt files for your website

More Security & Privacy

robots.txt GeneratorChmod Calculator.htpasswd GeneratorSSH Key GeneratorSRI Hash GeneratorPGP Key GeneratorPassword Strength CheckerCORS Tester
View all Security & Privacy tools