CSP Builder & Linter
Build a Content Security Policy from checkboxes or lint an existing CSP for foot-guns.
default-src
script-src
style-src
img-src
font-src
connect-src
media-src
object-src
frame-src
frame-ancestors
base-uri
form-action
As HTTP header
Content-Security-Policy: About this tool
Two modes — Build: pick directives and sources (self / none / unsafe-inline / nonce / hash / origins) to assemble a CSP header. Lint: paste an existing CSP and the tool flags wildcards in script-src, unsafe-inline without a nonce/hash, missing object-src 'none' and base-uri 'none', deprecated directives, and frame-ancestors caveats.