CSP & Security Headers Builder

Build a Content-Security-Policy interactively. Get a real-time security grade, detect misconfigs, and export for HTTP headers, Nginx, or Apache.

A+
Security Grade
Score100/100

No issues detected

CSP Directives

default-src
'self'
script-src
'self'
style-src
'self'
img-src
'self'data:
connect-src
'self'
font-src
frame-src
media-src
object-src
'none'
base-uri
'self'
form-action

Additional Headers

Strict-Transport-Security (HSTS)

Generated Output

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; object-src 'none'; base-uri 'self'
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), fullscreen=(self)
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Permissions-Policy

camera
microphone
geolocation
payment
fullscreen

Why HTTP Security Headers Matter

Security headers are HTTP response headers that instruct the browser to enable or disable specific security features. Correctly configured headers mitigate entire classes of attacks — XSS, clickjacking, MIME-sniffing, and man-in-the-middle attacks — without writing a single line of application code.

Most websites receive an F or D grade on security header scanners like securityheaders.com because developers find the documentation complex and the exact syntax difficult to remember. This tool generates the correct headers interactively, explains each option in plain English, and scores your configuration in real time.

Key Security Headers Explained

  • Content-Security-Policy — controls which resources browsers can load (primary XSS defense)
  • Strict-Transport-Security — forces HTTPS-only connections for the specified duration
  • X-Content-Type-Options: nosniff — prevents MIME type sniffing attacks
  • X-Frame-Options — prevents clickjacking via iframe embedding
  • Referrer-Policy — controls how much referrer information is included with requests
  • Permissions-Policy — restricts browser feature API access (camera, microphone, geolocation)

CSP & Security Headers FAQs

A Content Security Policy is an HTTP response header that allows web servers to control which resources (scripts, styles, images, fonts, etc.) a browser is allowed to load on a page. It is one of the most powerful defenses against Cross-Site Scripting (XSS) and data injection attacks.

The unsafe-inline directive allows execution of inline scripts and inline styles, which completely defeats CSP's primary defense against XSS. An attacker can inject malicious inline code that the browser will execute freely. This tool warns you with a security grade deduction when it detects unsafe-inline in your policy.

HTTP Strict Transport Security (HSTS) is a header that tells browsers to only communicate with your site over HTTPS, never plain HTTP. Once a browser sees this header, it will refuse to make insecure connections for the specified max-age duration, preventing downgrade attacks and cookie hijacking.

Yes. Switch the output tab to Nginx or Apache to get a ready-to-paste server configuration block with all selected security headers applied. The HTTP tab generates headers as key: value pairs, and the Meta tab generates HTML meta http-equiv equivalents for static sites.

X-Frame-Options prevents your site from being embedded in an iframe on another domain, which defends against Clickjacking attacks. DENY prevents all framing, SAMEORIGIN allows framing only from the same domain. The modern equivalent is the frame-ancestors CSP directive.

Related Security

All Tools