CSP Header Generator - Content Security Policy Builder

default-src (Fallback for other directives)

'self' 'none' https: data:

script-src (JavaScript sources)

'self' 'unsafe-inline' 'unsafe-eval' https:

style-src (CSS sources)

'self' 'unsafe-inline' https:

img-src (Image sources)

'self' data: https: blob:

font-src (Web font sources)

'self' data: https:

connect-src (XHR, WebSocket, fetch)

'self' https: wss:

frame-src (Iframe sources)

'self' 'none' https:

object-src (Flash, Java, etc.)

'none' 'self'

base-uri (Restrict base tag)

'self' 'none'

form-action (Form submission targets)

'self' https:

frame-ancestors (Who can embed your site)

'none' (recommended) 'self'

Additional Options

upgrade-insecure-requests block-all-mixed-content

Content Security Policy Generator