Content Security Policy Generator

CSP is an HTTP response header that controls what resources the browser is allowed to load. It's the most effective defense against XSS attacks - by specifying allowed sources for scripts, styles, images, and more, you prevent injected malicious code from executing. CSP can be delivered as a header or via a meta tag.

Avoid if possible. 'unsafe-inline' disables CSP's protection against inline script injection (the most common XSS vector). Alternatives: use nonces (cryptographically random tokens), hashes, or move all scripts to external files. If you must use it temporarily, pair with a strict default-src.

Allowing 'unsafe-inline' in script-src defeats the purpose of CSP for XSS protection. Nonces (random tokens that change per request) and hashes (SHA-256 of the script content) allow specific inline scripts while blocking injected ones. This provides XSS protection without requiring all scripts to be external.

The browser logs a CSP violation to the console (e.g., "Refused to load the script..."). The resource is not loaded or executed. You can configure a report-uri or report-to directive to send violation reports to your server for monitoring. This helps you identify misconfigurations and potential attacks.

Use Content-Security-Policy-Report-Only header instead of the enforcing header. This sends violation reports without blocking resources. Check your browser's console for CSP violation messages, fine-tune the policy, then switch to the enforcing header when everything passes.