CSP Builder — BlackBox Society

1) Paste existing CSP (optional)

If you already have a CSP string, paste it here and click Parse to populate fields.

Existing CSP

Notes: parsing is best-effort; directives not represented below are preserved under Other directives.

2) Configure directives

One directive per box. Space-separated sources. Leave blank to omit.

Report-Only output include reporting in Report-Only upgrade-insecure-requests block-all-mixed-content require-trusted-types-for 'script'

default-src script-src style-src img-src connect-src font-src frame-ancestors base-uri form-action object-src report-uri (legacy; optional) report-to group (optional) Other directives (verbatim)

3) Output

Header value

Meta tag (fallback)

Tip: avoid 'unsafe-inline' and 'unsafe-eval' unless you fully understand the tradeoffs.

Quick sanity checks

Recommended: object-src 'none', base-uri 'self', frame-ancestors 'none' (if you don’t need embedding).
Risky: 'unsafe-inline', 'unsafe-eval', wildcard *.
For strict script control, consider nonces/hashes (not generated here).

This tool does not phone home; everything stays in your browser.