Quick start
Paste input, review output instantly, then copy it for your workflow.
CSP header generator
Security toolsBuild a Content-Security-Policy header from domain allowlists.
Updated
CSP header generator
Build a Content-Security-Policy header from domain allowlists.
Input format: One allowed origin per line
Output
Quick start
How to use csp-header-generator
Enter input and view computed output.
- Step 1Enter input
Paste or type your data in the input box.
- Step 2Compute
The tool processes input instantly in your browser.
- Step 3Use output
Copy output and continue your workflow.
In-depth guide
CSP header generator guide
Build a Content-Security-Policy header from domain allowlists. This tool is designed for fast local processing and practical day-to-day use.
Input tips
Use one value per line for structured inputs. Common separators are handled gracefully.
Privacy
Processing runs in your browser tab for the MVP workflow, with no mandatory upload step.
When to use it vs alternatives
Use this tool for quick browser-based work when you need an answer or output immediately. Use a dedicated application or automated workflow when you need bulk processing, approvals, or repeatable production rules.
Common pitfalls
- Check the result before replacing the original input.
- Watch for unit, format, encoding, and browser memory limits on large inputs.
- Keep a copy of important source material until the output is verified.
Frequently asked questions
What is a Content-Security-Policy header?
It tells the browser which sources of scripts, styles, images and other resources are allowed, which mitigates cross-site scripting and data injection attacks.
How do I start without breaking my site?
Deploy the policy in report-only mode first using Content-Security-Policy-Report-Only, watch the violation reports, then enforce once it is clean.
Why is unsafe-inline discouraged?
Allowing unsafe-inline defeats much of CSP's XSS protection. Prefer nonces or hashes for the few inline scripts and styles you genuinely need.
What does default-src do?
It is the fallback for any directive you do not set explicitly, so a restrictive default-src plus targeted overrides is a solid baseline.
Where do I put the header?
Send it as an HTTP response header from your server or CDN. A meta tag works for some directives but cannot cover frame-ancestors or sandbox.
Is anything uploaded?
No. The header string is generated entirely in your browser.
Keep exploring
More tools you'll like
Hand-picked utilities that pair well with the one you're on — all free, client-side, and zero-signup.
More security tools
See all →- AES text encrypt/decrypt Popular New
Encrypt and decrypt text locally with AES-256-GCM and passphrase-derived keys.
- JWT generator (HS256) Popular New
Generate signed HS256 JWTs from custom header and payload JSON locally.
- TOTP tool New
Generate 6-digit rolling TOTP codes and otpauth URIs from Base32 secrets.
Popular across EpitomeTool
Browse all →- PDF toolsPDF compressor Popular
Shrink PDF file size without uploading to a server.
Open tool - Fitness & healthBMI calculator Popular
Body Mass Index with metric / imperial inputs and WHO category bands.
Open tool - PDF toolsPDF merger Popular
Combine multiple PDFs into one in your browser.
Open tool - PDF toolsPDF splitter Popular
Split a PDF by pages or page ranges, download as zip.
Open tool