About this tool
Assemble a Content-Security-Policy header string from common directives prefilled with 'self'; the header is built entirely in your browser.
Frequently asked questions
What does 'self' mean?
The 'self' keyword allows resources only from your own origin (same scheme, host and port), a safe default for most directives.
How do I deploy the header?
Send the generated string as an HTTP response header from your server or CDN, or place it in a <meta http-equiv> tag for static sites.