Header or tag — which should I use?

The HTTP header is preferred. The form is convenient when you can't edit response headers (static hosts, etc.), but it can't define frame-ancestors or report-uri/report-to, so it's strictly less powerful.

Why is the wildcard a warning?

* in a source list matches any URL, defeating the policy entirely. Pin sources to specific origins or use 'self' instead — if you genuinely need third-party scripts, list them explicitly.

Content-Security-Policy Builder

Network

Composes a Content-Security-Policy header from a directive-by-directive form. Each directive accepts a space-separated source list (keywords like 'self', 'none', 'unsafe-inline', or scheme/host sources). The tool flags policies that contain unsafe-inline, unsafe-eval, or a wildcard, omits empty directives from the output, and emits both the response header form and the equivalent <meta> tag. Switch to report-only mode while you're rolling a new policy out to production.

—

Presets

Directives

default-src — fallback for any -src directive not setscript-src — JavaScript sourcesstyle-src — CSS sourcesimg-src — image sourcesfont-src — font sourcesconnect-src — fetch / XHR / WebSocket / EventSourcemedia-src — audio / video sourcesframe-src — frame contentsworker-src — Worker / SharedWorker scriptsobject-src — <object>, <embed>, <applet> — set to 'none'base-uri — <base> tag URLsform-action — form submission endpointsframe-ancestors — who can embed this page (replaces X-Frame-Options)report-uri — violation report endpoint (legacy)

Report-only mode

Header

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'

<meta> tag

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'">

An empty directive falls through to default-src. Set default-src 'self' first, then narrow individual sources.

How to use

Start from a preset (Strict locks everything to 'self', Relaxed allows inline + wildcards, API-only blocks navigation).
Edit each directive — leave a field blank to drop it.
Turn on report-only when shipping a new policy: violations are reported but not blocked.

Frequently asked questions

Header or <meta> tag — which should I use?: The HTTP header is preferred. The <meta> form is convenient when you can't edit response headers (static hosts, etc.), but it can't define frame-ancestors or report-uri/report-to, so it's strictly less powerful.
Why is the wildcard a warning?: * in a source list matches any URL, defeating the policy entirely. Pin sources to specific origins or use 'self' instead — if you genuinely need third-party scripts, list them explicitly.

Related tools

URL Query Builder

Build URLs by combining a base address with editable key-value query parameters — each pair toggleable, properly percent-encoded.

Network00

IP Address Inspector

Type an IPv4 or IPv6 address and see its class, scope (private / public / loopback / link-local), decimal value, binary, reverse-DNS notation, and /32 CIDR.

Network00

Port Number Reference

Searchable cheat sheet for ~60 standard TCP / UDP port numbers — from 22 (SSH) and 80 (HTTP) to 6379 (Redis) and 27017 (MongoDB).

Network00

DNS Record Reference

Searchable cheat sheet for DNS record types — A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA, DNSSEC, SVCB / HTTPS — with examples.

Network00

Subnet Calculator (IPv4 / CIDR)

Parse an IPv4 CIDR into network address, broadcast, netmask, wildcard, host range, and class. Shows binary breakdown and private/public status.

Network00

User Agent Parser

Parse a User-Agent string into browser, engine, OS, device, and CPU. Detects 20+ bots including GPTBot, ClaudeBot, PerplexityBot.

Network00