Core tool

Generate a CSP you can paste into production.

Start with a safe baseline, ship in report-only mode first, then tighten directives as you verify real requests and remove unnecessary sources.

Policy inputs

default-src The default fallback for resources. Most sites begin with 'self'.

script-src Keep script sources explicit so you can tighten them later.

style-src

img-src

connect-src

font-src

frame-src

object-src

base-uri

form-action

report-uri

Use report-only mode first

Generate a base64 nonce and append it to script-src and style-src.

No nonce has been generated yet.

Paste inline script content, compute its hash, and insert the expression into script-src.

Inline script content

Hash algorithm

'sha256-…'