Home/Developer Tools/Developer Tools
Developer Tools

CSP Builder & Validator

Build and validate Content Security Policy headers privately in your browser.

Build and validate Content Security Policy headers locally

Create a policy, validate an existing one, and preview framework snippets without sending anything to a server.

A valid CSP can still be too permissive or break legitimate site functionality. Test with Report-Only mode before enforcing it in production.

default-src

Fallback source list applied when a more specific directive is not set.

script-src

Controls which scripts may execute, including inline, external and trusted script sources.

style-src

Controls which stylesheets and style sources may load or execute.

img-src

Controls images, favicons and other image-like resources.

font-src

Controls web fonts and font files.

connect-src

Controls fetch, XHR, WebSocket and similar network connections.

frame-src

Controls frames and iframes that the page may embed.

object-src

Controls plugin and legacy object/embed content.

base-uri

Controls the document base URL and helps prevent base-tag injection.

form-action

Controls which endpoints forms may submit to.

frame-ancestors

Controls which sites may embed this page in a frame.

worker-src

Controls workers and service-worker-like execution contexts.

media-src

Controls audio and video resource loading.

manifest-src

Controls web app manifest loading.

Builder characters
0
Output characters
0

Generated policy output

Waiting
Build or validate a policy to see the output here.

Validation results

No validation run yet
Mode label: Enforce
No validation results yet.

Risk warnings

Review these carefully before using a policy in production.

No risk warnings yet.

Framework snippets

Build or validate a policy to preview framework snippets.