CSP header builder
ClientCompose a Content-Security-Policy header from common directives—copy the value into server or CDN configuration after review.
About CSP header builder
Build a Content-Security-Policy header from directive fields—copy for nginx, Express, or CDN configs locally. The interactive transform on this page runs in your browser tab—Toolcore does not need your paste for the core operation described above.
How to use this page
Paste or type in the main workspace, run the primary action from the toolbar, then copy or download the result. Use Load example when the page offers it, or URL prefill (?q= / ?qb=) so agents and tickets open the same input.
Limits and safety
Utilities here are for development and inspection—do not paste live production keys, PANs, or recovery codes into any browser tab you do not control.
Build a Content-Security-Policy header value for nginx, Express, or CDN configs—pair with Subresource Integrity for third-party scripts.
Directives
?
Enter space-separated source expressions per directive—for example 'self' https://cdn.example.com. Leave a field blank to omit that directive from the header.
Nearby workflows on Toolcore
- Permissions-Policy builder — Build a Permissions-Policy header to allow or deny camera, geolocation, payment, and other browser features locally. before you trust a token, digest, or key material in production.
- Subresource Integrity (SRI) — SHA-256/384/512 base64 integrity tokens for script and link tags—UTF-8 paste or local file; Web Crypto only. before you trust a token, digest, or key material in production.
- HTTP headers — Common request and response header fields—names, direction, and short summaries—filterable client-side. before you trust a token, digest, or key material in production.
- Meta tag generator — Build title, description, canonical, Open Graph, and Twitter meta tags—copy a head fragment locally. before you trust a token, digest, or key material in production.
Common use cases
- Draft a strict CSP before deploying a static site.
- Add report-uri while testing violations in staging.
- Document allowed script and connect sources for security review.
Common mistakes to avoid
Forgetting inline script allowances
script-src 'self' blocks inline handlers unless you add nonces, hashes, or unsafe-inline—adjust deliberately.
Copying without testing
Apply CSP in report-only mode first and watch browser console violations.
FAQ
Is this a CSP evaluator?
No. It builds the header string—you still deploy and test policy in your environment.
How does this relate to SRI?
Subresource Integrity tags protect individual files; CSP restricts which origins may load at all.
Is data sent to a server?
No. The header is assembled locally in your browser.
More tools
Related utilities you can open in another tab—mostly client-side.
Permissions-Policy builder
ClientBuild a Permissions-Policy header to allow or deny camera, geolocation, payment, and other browser features locally.
Subresource Integrity (SRI)
ClientSHA-256/384/512 base64 integrity tokens for script and link tags—UTF-8 paste or local file; Web Crypto only.
HTTP headers
ClientCommon request and response header fields—names, direction, and short summaries—filterable client-side.
Meta tag generator
ClientBuild title, description, canonical, Open Graph, and Twitter meta tags—copy a head fragment locally.