CSP header builder
ClientCompose a Content-Security-Policy header from common directives—copy the value into server or CDN configuration after review.
About CSP header builder
Build a Content-Security-Policy header from directive fields—copy for nginx, Express, or CDN configs locally. The interactive transform on this page runs in your browser tab—Toolcore does not need your paste for the core operation described above.
How to use this page
Paste or type in the main workspace, run the primary action from the toolbar, then copy or download the result. Use Load example when the page offers it, or URL prefill (?q= / ?qb=) so agents and tickets open the same input.
Limits and safety
Utilities here are for development and inspection—do not paste live production keys, PANs, or recovery codes into any browser tab you do not control.
Build a Content-Security-Policy header value for nginx, Express, or CDN configs—pair with Subresource Integrity for third-party scripts.
Directives
?
Enter space-separated source expressions per directive—for example 'self' https://cdn.example.com. Leave a field blank to omit that directive from the header.
Nearby workflows on Toolcore
- Permissions-Policy builder — Build a Permissions-Policy header to allow or deny camera, geolocation, payment, and other browser features locally. before you trust a token, digest, or key material in production.
- Referrer-Policy builder — Pick a Referrer-Policy value and copy the HTTP header—control referrer leakage locally. before you trust a token, digest, or key material in production.
- Cross-origin policy headers — Build COOP, COEP, and CORP response headers for isolation and embed rules—in your browser. before you trust a token, digest, or key material in production.
- HSTS header builder — Draft Strict-Transport-Security with max-age, includeSubDomains, and optional preload—local only. before you trust a token, digest, or key material in production.
Common use cases
- Draft a strict CSP before deploying a static site.
- Add report-uri while testing violations in staging.
- Document allowed script and connect sources for security review.
Common mistakes to avoid
Forgetting inline script allowances
script-src 'self' blocks inline handlers unless you add nonces, hashes, or unsafe-inline—adjust deliberately.
Copying without testing
Apply CSP in report-only mode first and watch browser console violations.
FAQ
Is this a CSP evaluator?
No. It builds the header string—you still deploy and test policy in your environment.
How does this relate to SRI?
Subresource Integrity tags protect individual files; CSP restricts which origins may load at all.
Is data sent to a server?
No. The header is assembled locally in your browser.
More tools
Related utilities you can open in another tab—mostly client-side.
Permissions-Policy builder
ClientBuild a Permissions-Policy header to allow or deny camera, geolocation, payment, and other browser features locally.
Referrer-Policy builder
ClientPick a Referrer-Policy value and copy the HTTP header—control referrer leakage locally.
Cross-origin policy headers
ClientBuild COOP, COEP, and CORP response headers for isolation and embed rules—in your browser.
HSTS header builder
ClientDraft Strict-Transport-Security with max-age, includeSubDomains, and optional preload—local only.