CSP Builder
Assemble a Content-Security-Policy header from source directives. Everything is processed on your device, nothing is sent to a server.
Everything runs in your browser. Your data is never sent to our servers.
Example
Example Input
default-src 'self', script-src 'self'
Example Output
Content-Security-Policy: default-src 'self'; script-src 'self'
How to Use
- 1Fill the input fields with your data (or paste the text to process).
- 2If there are options, adjust them to your needs.
- 3Click Run (or press Ctrl+Enter) to build.
- 4The result appears in the Result area. Click Copy to copy it.
About CSP Builder
The CSP Builder assembles a Content-Security-Policy header from directives like default-src, script-src, style-src, img-src, connect-src, and frame-ancestors. CSP is a primary defense against XSS — it restricts where scripts, styles, and other resources may load from.
In the browser.
FAQ
Are any network requests sent?
No. This tool only transforms/analyzes text in your browser — no actual HTTP request is sent, and your data never leaves your device. (Tools that truly call an external server are intentionally not provided due to browser CORS limits.)
Is my data safe?
Yes. All processing happens entirely locally in your browser. Nothing is uploaded, logged, or stored on our servers.