CSP Generator

Choose a preset, add external domains and copy a reasonable CSP header to test in report-only mode first.

build --content-security-policy local analysis / no remote fetch

build --content-security-policy

preset mode

extra domains, comma-separated

Google Analytics Google Fonts YouTube embeds temporary inline styles

Recommended use

Start with Report-Only, review console and reports, then enforce the policy only after real features keep working.

Avoid `unsafe-inline` where possible. If needed, plan nonces or hashes for controlled scripts and styles.

Update the CSP whenever you add analytics, CDNs, fonts, video embeds or third-party services.

references