All tools
/ tool · 04

CSP Generator

Build a complete Content-Security-Policy with a visual editor — pick directives, toggle keywords, add hosts; the header builds live.

Import existing policy

Fetch a CSP via URL (reads HTTP headers + <meta> tags) or paste a header directly to pre-fill the editor.

// Reads Content-Security-Policy, Content-Security-Policy-Report-Only and <meta> tags.

// No directive selected

Meta Tag mode doesn't support frame-ancestors, report-uri, report-to or sandbox.

Directives

Click a keyword to toggle it. Type hosts/URLs separated by spaces in the custom field.

─ Fetch Directives — Sources autorisées par type de ressource récupérée.
default-src — Fallback pour toutes les autres fetch directives.
script-src — <script>, eval(), workers inline, event handlers.
script-src-elem — Restreint uniquement les balises <script>.
script-src-attr — Event handlers inline (onclick, etc.).
style-src — <style>, <link rel="stylesheet">, attributs style inline.
style-src-elem — Restreint <style> et <link rel="stylesheet">.
style-src-attr — Attributs style inline.
img-src — <img>, favicon, background-image, etc.
connect-src — fetch, XHR, WebSocket, EventSource, Beacon.
font-src — @font-face — sources des fontes.
frame-src — <frame> et <iframe>.
media-src — <audio>, <video>, <track>.
object-src — Plugins (<object>, <embed>) — recommandé : 'none'.
manifest-src — Web App Manifest.
worker-src — Web Workers, Service Workers, Shared Workers.
child-src — Workers + frames (legacy — préférer worker-src + frame-src).
prefetch-src — <link rel="prefetch"> (déprécié).
fenced-frame-src — <fencedframe> (Privacy Sandbox).
─ Document & Navigation — Restrictions au niveau document et navigation.
base-uri — Valeurs autorisées dans <base href>.
form-action — Cibles de soumission des <form>.
frame-ancestors — Pages autorisées à embedder cette page (remplace X-Frame-Options).
sandbox — Sandbox la page (sans valeur = sandbox total).
─ Reporting — Endpoints pour recevoir les rapports de violation.
report-uri — Endpoint qui reçoit les rapports (déprécié mais encore utilisé).
report-to — Groupe défini via l'en-tête Reporting-Endpoints.
─ Trusted Types & Other — Directives complémentaires et toggles.
require-trusted-types-for — Active Trusted Types pour les sinks.
trusted-types — Politiques Trusted Types autorisées.
— Convertit automatiquement HTTP → HTTPS.
— Bloque tout contenu HTTP sur une page HTTPS (déprécié).

Coverage

  • Fetch directives — all 18 fetch directives (script, style, img, connect, font, frame, media, object, manifest, worker, child, prefetch, fenced-frame, +elem/attr).
  • Document & nav — base-uri, form-action, frame-ancestors, sandbox.
  • Reporting — report-uri (legacy) + report-to (modern).
  • Trusted Types — require-trusted-types-for, trusted-types.
  • Modes — HTTP header / meta tag / Report-Only.
  • Live — live build + copy button.