/ tool · 04
CSP Generator
Build a complete Content-Security-Policy with a visual editor — pick directives, toggle keywords, add hosts; the header builds live.
Import existing policy
Fetch a CSP via URL (reads HTTP headers + <meta> tags) or paste a header directly to pre-fill the editor.
// Reads Content-Security-Policy, Content-Security-Policy-Report-Only and <meta> tags.
// Accepts the raw header, directives only, or the full <meta> tag.
// No directive selected
ℹ Meta Tag mode doesn't support frame-ancestors, report-uri, report-to or sandbox.
Directives
Click a keyword to toggle it. Type hosts/URLs separated by spaces in the custom field.
─ Fetch Directives — Sources autorisées par type de ressource récupérée.
default-src
— Fallback pour toutes les autres fetch directives.
script-src
— <script>, eval(), workers inline, event handlers.
script-src-elem
— Restreint uniquement les balises <script>.
script-src-attr
— Event handlers inline (onclick, etc.).
style-src
— <style>, <link rel="stylesheet">, attributs style inline.
style-src-elem
— Restreint <style> et <link rel="stylesheet">.
style-src-attr
— Attributs style inline.
img-src
— <img>, favicon, background-image, etc.
connect-src
— fetch, XHR, WebSocket, EventSource, Beacon.
font-src
— @font-face — sources des fontes.
frame-src
— <frame> et <iframe>.
media-src
— <audio>, <video>, <track>.
object-src
— Plugins (<object>, <embed>) — recommandé : 'none'.
manifest-src
— Web App Manifest.
worker-src
— Web Workers, Service Workers, Shared Workers.
child-src
— Workers + frames (legacy — préférer worker-src + frame-src).
prefetch-src
— <link rel="prefetch"> (déprécié).
fenced-frame-src
— <fencedframe> (Privacy Sandbox).
─ Document & Navigation — Restrictions au niveau document et navigation.
base-uri
— Valeurs autorisées dans <base href>.
form-action
— Cibles de soumission des <form>.
frame-ancestors
— Pages autorisées à embedder cette page (remplace X-Frame-Options).
sandbox
— Sandbox la page (sans valeur = sandbox total).
─ Reporting — Endpoints pour recevoir les rapports de violation.
report-uri
— Endpoint qui reçoit les rapports (déprécié mais encore utilisé).
report-to
— Groupe défini via l'en-tête Reporting-Endpoints.
─ Trusted Types & Other — Directives complémentaires et toggles.
require-trusted-types-for
— Active Trusted Types pour les sinks.
trusted-types
— Politiques Trusted Types autorisées.
— Convertit automatiquement HTTP → HTTPS.
— Bloque tout contenu HTTP sur une page HTTPS (déprécié).
Coverage
- Fetch directives — all 18 fetch directives (script, style, img, connect, font, frame, media, object, manifest, worker, child, prefetch, fenced-frame, +elem/attr).
- Document & nav — base-uri, form-action, frame-ancestors, sandbox.
- Reporting — report-uri (legacy) + report-to (modern).
- Trusted Types — require-trusted-types-for, trusted-types.
- Modes — HTTP header / meta tag / Report-Only.
- Live — live build + copy button.