What does default-src do?

default-src is the fallback for most fetch directives. If you do not set script-src or img-src, the browser uses default-src for them. A restrictive default-src such as 'self' is the safest starting point.

Why is unsafe-inline discouraged?

unsafe-inline lets inline scripts and styles run, which defeats much of CSP's protection against cross-site scripting. Prefer nonces or hashes so only your intended inline code executes. The builder warns whenever you add it.

What protects against clickjacking?

frame-ancestors controls which origins may embed your page in a frame. Setting frame-ancestors 'none' or to specific trusted origins replaces the older X-Frame-Options header and stops clickjacking.

Should I quote keywords like self and none?

Yes. Keyword sources must be wrapped in single quotes inside the header, for example 'self', 'none', 'unsafe-inline', and nonce-… Host sources like https://cdn.example.com are written without quotes. The builder formats this for you.

Is my policy sent anywhere?

No. The header is assembled entirely in your browser from the values you type. Nothing about your policy is transmitted, so you can build internal policies safely.

Content Security Policy (CSP) Header Builder

A Content Security Policy (CSP) is an HTTP response header that tells the browser which sources of scripts, styles, images, and other resources are allowed to load — the single most effective defence against cross-site scripting and content injection. This builder lets you fill in each directive, explains what it controls, warns about weak values, and assembles a correctly formatted header you can paste straight into your server config. Nothing is transmitted.

How it works

CSP is a single header whose value is a semicolon-separated list of directives, each followed by a space-separated source list:

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; frame-ancestors 'none'

The builder follows the spec’s rules:

Keyword sources ('self', 'none', 'unsafe-inline', 'unsafe-eval', nonces, hashes) are single-quoted.
Host and scheme sources (https://cdn.example.com, data:) are written bare.
Directives you leave empty are omitted, so the header stays minimal.
Each non-empty directive is joined with ; to form the final header string.

It also flags risk: adding 'unsafe-inline' to script-src triggers a warning because it undermines the policy.

Tips and notes

Start strict with default-src 'self', then open up only the specific directives and hosts your app actually needs.
Prefer nonces or hashes over 'unsafe-inline' for any inline script or style you cannot remove.
Always set frame-ancestors to stop clickjacking; 'none' blocks all framing, or list trusted origins.
Test with the Content-Security-Policy-Report-Only header first so violations are reported without breaking the page, then switch to the enforcing header.