🧱

CSP 建構器

Interactive" data-tooltip="Edit directives and instantly see the full header value." cursor-help> Interactive

產生 Content Security Policy 標頭。

Security Checks

Existing CSP (optional)

Report-Only header

Tip: Use Report-Only to test safely in production.

Warnings

No warnings yet.

Space-separated sources

default-src

Fallback for most fetches

script-src

JS sources (use nonce/hash, avoid unsafe-inline)

style-src

CSS sources (consider hashes/nonces)

img-src

Images

connect-src

XHR/fetch/WebSocket

font-src

Fonts

frame-src

Frames/iframes

object-src

Plugins (usually 'none')

base-uri

Restrict tag

form-action

Where forms can POST

frame-ancestors

Who can embed you

Header output

This tool does not validate your site behavior — always test in a staging environment.

Report-Only lets you monitor policy violations without blocking content. Use it to roll out a strict policy safely.

Parse and generate curl commands.

Parse X.509 certificates and CSRs.

Analyze raw emails for SPF/DKIM/DMARC, routing hops, and embedded URLs.

Generate apache htpasswd entries.