CSP Builder — lab.johlem.net

All processing happens locally in your browser. No data is sent to any server.

default-src Fallback for other directives

script-src JavaScript sources

style-src CSS sources

img-src Image sources

font-src Font sources

connect-src AJAX, WebSocket, fetch

media-src Audio/video sources

object-src Plugins (Flash, Java)

frame-src iframe sources

frame-ancestors Who can embed this page

base-uri Restrict <base> URLs

form-action Form submission targets

upgrade-insecure-requests Upgrade HTTP to HTTPS

block-all-mixed-content Block mixed HTTP/HTTPS

Header Format

Content-Security-Policy: default-src 'self'

Meta Tag Format

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

'self' Same origin only

'none' Block all

'unsafe-inline' Allow inline scripts/styles

'unsafe-eval' Allow eval()

https: Any HTTPS URL

data: Data URIs

blob: Blob URIs

*.example.com Wildcard subdomain