Skip to main content
Back to Dev generators

Dev

Mock CSP Header Generator

Used by developers, writers, and creators worldwide.

A mock CSP header generator produces example Content-Security-Policy headers for learning, testing, and documentation. CSP is a powerful browser security feature that controls which sources a page may load scripts, styles, images, and other resources from, helping defend against cross-site scripting and injection attacks. This tool emits valid CSP headers at different strictness levels, from a locked-down policy to a report-only one. Choose a level and copy the header. It is ideal for learning CSP, hardening a site, and documenting security headers. The headers follow the real CSP syntax, so they show how directives like default-src, script-src, and frame-ancestors restrict resource origins. A practical tip: start with a report-only policy to see what a strict CSP would block before enforcing it, since a too-tight policy can break a working site. Adapt the directives and allowed sources to your own application before deploying.

Loading usage…

Free forever — no account required

How to use

  1. Choose your options above
  2. Click Generate
  3. Copy your result

Detailed instructions

  1. Choose a strictness level.
  2. Click Generate to produce a CSP header.
  3. Test it in report-only mode first.
  4. Adapt the sources to your app.

Use Cases

  • Learning Content-Security-Policy
  • Hardening a website
  • Documenting security headers
  • Testing CSP configuration
  • Demoing web security

Tips

  • Start with report-only mode.
  • A strict CSP can break a site.
  • Allow only the sources you need.
  • frame-ancestors guards against clickjacking.

FAQ

what does Content-Security-Policy do

CSP tells the browser which sources a page may load scripts, styles, images, and other resources from. By restricting origins, it helps prevent cross-site scripting and injection attacks, since injected code from an untrusted source is blocked.

what is report-only mode

A report-only CSP does not block anything but reports what a policy would have blocked, to a URL you specify. It lets you test a strict policy against a live site safely before enforcing it, avoiding breakage from a too-tight policy.

why might a strict CSP break my site

A strict policy can block scripts, styles, or resources your site actually relies on — inline scripts, third-party widgets, or CDNs. Starting in report-only mode reveals what would break, so you can allow the legitimate sources before enforcing.