security-builders.fyi

CSP Builder.

Construct a Content-Security-Policy directive by directive with plain-English explanations, validate a policy you already have, or paste a page's HTML to see exactly what a policy would block — and get a suggested minimal policy. Everything runs in your browser.

Fallback for every fetch directive you do not set explicitly. Set this to lock everything down, then open up specific resource types.

selfnoneunsafe-inlineunsafe-evalstrict-dynamicunsafe-hasheswasm-unsafe-evalreport-samplehttps:data:blob:mediastream:

Where scripts may load from, and whether inline/eval are allowed. The most security-critical directive — XSS lives here.

selfnoneunsafe-inlineunsafe-evalstrict-dynamicunsafe-hasheswasm-unsafe-evalreport-samplehttps:data:blob:

Where stylesheets may load from, and whether inline styles are allowed.

selfnoneunsafe-inlineunsafe-hashesreport-samplehttps:data:blob:

Where images (including favicons and srcset) may load from.

selfnonehttps:data:blob:

Endpoints reachable via fetch/XHR, WebSocket, EventSource, and sendBeacon.

selfnonehttps:data:blob:

Where web fonts may load from (@font-face src).

selfnonehttps:data:blob:

Sources allowed in <iframe> / <frame>. Falls back to child-src then default-src.

selfnonehttps:data:blob:

Where <audio>, <video>, and <track> may load from.

selfnonehttps:data:blob:mediastream:

Sources for <object>/<embed> plugins. Almost always should be ’none’.

selfnonehttps:data:blob:

Where Worker, SharedWorker, and ServiceWorker scripts may load from.

selfnoneunsafe-evalhttps:data:blob:

Where the web app manifest may load from.

selfnonehttps:data:blob:

Restricts the <base> element. Set to ’self’ (or ’none’) to stop an injected <base> from hijacking every relative URL.

selfnonehttps:data:blob:

Where forms may submit. Limits exfiltration via injected <form action>.

selfnonehttps:data:blob:

Who may embed this page in a frame — the modern replacement for X-Frame-Options. Use ’none’ to block clickjacking.

selfnonehttps:data:blob:

Other directives

Reporting

Legacy endpoint that receives JSON violation reports. Deprecated in favor of report-to, but still the most widely supported.
Named reporting group (configured via the Reporting-Endpoints header) that receives violation reports.
Content-Security-Policy
     
     
    How a Content-Security-Policy works
     
    
A CSP is a response header (or <meta> tag) that tells the browser which
      sources of script, style, images, and other resources are trusted. Anything not on the list
      is blocked, which is why CSP is one of the strongest defenses against cross-site scripting.

     
     
     
    Start fail-closed
     
    Set default-src 'self', then open up only the resource types and origins you actually use. Unset directives fall back to default-src.
     
     
     
    Avoid 'unsafe-inline'
     
    Prefer a per-response nonce-… on each inline <script>, paired with 'strict-dynamic' for a policy that scales without host allowlists.
     
     
     
    Don't forget the “quiet” directives
     
    object-src 'none', base-uri 'self', and frame-ancestors 'none' close common bypasses and clickjacking — they aren't covered by default-src.