CSP Builder
Diagnose security headers and policies in your browser. No input is sent to a server. Use it for first-pass checks before rollout.
Status
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Select a template, add required domains, then click Build. Verify the generated policy with audit tools before deployment.
Notes (this tool)
- This output is a starter policy. Adjust it to real script/style/img/connect sources.
- Use Report-Only first, review violation logs, then enforce for safer rollout.
About this page
What does this tool do?
Provides templates to quickly build CSPs for common setups.
Debugging workflow (recommended)
- Pick a template
- Add required domains
- Validate with CSP Inspect
Recommendations (practical)
- Start by tightening default-src and script-src
- Roll out with report-only first
- Minimize unsafe-inline/unsafe-eval
Related tools
- CSP Inspect
- Security Headers Audit
What this tool does
- Generate CSP templates
- Add allowed domains
Operational notes
- Recommended values are environment-dependent. Validate against functional requirements before applying.
- In production, use phased rollout with report monitoring.
Referenced specs
- MDN: CSP
FAQ
Should CSP be strict from day one?
A practical path is starting with Report-Only, observing violations, then tightening gradually.
Is keeping unsafe-inline problematic?
It widens attack surface, so migration to nonce/hash with minimal usage is recommended.
References
Page-specific case studies
This page helps design initial CSP with nonce/hash strategy and least-privilege directives.
- Minimize allowed sources for script-src and style-src.
- Choose a nonce-based or hash-based policy model.
- Plan early reduction of unsafe-inline usage.
Page-specific implementation checklist
- Collect violation logs in Report-Only mode before enforcement.
- Centralize nonce injection in your template layer.
- Inventory third-party resource origins.
- Run regression tests on key pages after CSP changes.
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- CSP Inspect — Parse and evaluate CSP directives
- CSP Nonce/Hash Helper — Generate and verify CSP nonce/hash values
- CSP Report Analyzer — Analyze CSP report JSON and summarize violation patterns
- Security Headers Fix Plan — Create a prioritized header-fix plan
- Security Headers Audit — Audit presence of major security headers
- Security Headers Recommendation — Suggest recommended values for missing headers
- HSTS Inspect — Parse HSTS to verify HTTPS enforcement
- Permissions-Policy Inspect — Parse Permissions-Policy and review feature restrictions
Same-theme links
Security Headers
Go from missing-header detection to concrete fix planning
- Security Headers Audit — Audit presence of major security headers
- Security Headers Recommendation — Suggest recommended values for missing headers
- Security Headers Fix Plan — Create a prioritized header-fix plan
- CSP Nonce/Hash Helper — Generate and verify CSP nonce/hash values
- CSP Report Analyzer — Analyze CSP report JSON and summarize violation patterns
- CSP Inspect — Parse and evaluate CSP directives
- HSTS Inspect — Parse HSTS to verify HTTPS enforcement
- Permissions-Policy Inspect — Parse Permissions-Policy and review feature restrictions
- Referrer-Policy Inspect — Parse Referrer-Policy and check referrer exposure
- X-Frame-Options Inspect — Parse X-Frame-Options to validate clickjacking protection
- X-Content-Type-Options Inspect — Parse X-Content-Type-Options and validate nosniff