Convertful
ImagePDFVideoAudioDocumentSEODeveloperUtilityGuides

Image Tools

  • Compress Image
  • Resize Image
  • Remove Background
  • HEIC to JPG
  • All Image Tools →

PDF Tools

  • Compress PDF
  • Merge PDFs
  • Split PDF
  • PDF to Images
  • All PDF Tools →

Video & Audio

  • MOV to MP4
  • FLAC to MP3
  • Video to GIF
  • All Video Tools →
  • All Audio Tools →

Developer

  • JSON Formatter
  • JWT Decoder
  • Regex Tester
  • SQL Formatter
  • All Developer Tools →

Document & SEO

  • Excel to JSON
  • JSON to Excel
  • All Document Tools →
  • SERP Snippet Preview
  • Robots.txt Generator
  • All SEO Tools →

Utility

  • QR Code Generator
  • Word Counter
  • Color Converter
  • Text Diff
  • All Utility Tools →
All processing happens in your browser. Your files never leave your device.
AboutGuidesTermsPrivacyContact
© 2026 Convertful. All rights reserved.
HomeDeveloperCSP Generator

CSP Generator

Build Content Security Policy headers locally. Free, private, runs in your browser.

100% private — your files and text never leave your browser. All processing happens locally on your device.

Directives

Output Mode

Output ready

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-PLACEHOLDER'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; connect-src 'self' https://api.example.com; font-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'
CSP Generator Report
Mode: HTTP header
Directives: 10

Issues:
None.

You might also need

SSL CheckerQuick TLS health check: cert issuer, expiry, SANs, HSTS
HTML FormatterFormat HTML source without rendering it
Robots.txt GeneratorGenerate robots.txt rules locally
Schema ValidatorValidate JSON-LD syntax and local schema hints

Build A Policy From Directives

CSP Generator assembles Content Security Policy directives into an HTTP header or meta tag. Source-expression validation catches obvious typos such as semicolons, malformed directives, and invalid tokens.

Nonce, Hash, And Reporting Placeholders

The default policy includes practical placeholders for nonces, report endpoints, and common sources. Replace placeholders in your application code before enforcing the policy.

Test Before Enforcing

A strict CSP can break production pages by blocking scripts, styles, images, fonts, frames, workers, or API calls. Use Report-Only mode and browser reports before switching to enforcement.

FAQ

Does CSP Generator scan my website?

No. It only builds a policy from the directives and source expressions you enter.

Can CSP break a site?

Yes. CSP can block scripts, styles, images, frames, fonts, workers, or API calls. Test with Content-Security-Policy-Report-Only first.

Are nonce and hash placeholders supported?

Yes. You can use placeholders such as 'nonce-PLACEHOLDER' or hash placeholders, then replace them in your app.

Should I use a meta tag?

Prefer an HTTP header. Meta tag mode is available for quick prototypes but cannot reliably support directives such as frame-ancestors and reporting.

Is this a live CSP validator?

No. It validates source-expression shape locally but does not inspect browser reports or fetch URLs.