DEV Community

Dev Nestio
Dev Nestio

Posted on

I built a visual CSP header generator (no more hand-editing Content-Security-Policy)

#security #webdev #tools #javascript

What I built

Added CSP Generator to devnestio — a browser-only tool for building Content Security Policy headers visually.

👉 https://csp-generator.pages.dev

The problem with hand-writing CSP

Content Security Policy strings look like this:

Content-Security-Policy: default-src 'none'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https:; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests
Enter fullscreen mode Exit fullscreen mode

One typo — a missing quote around 'self', a wrong directive name — and your site breaks (or worse, the CSP silently does nothing). Getting the right combination of directives and sources for your specific use case requires knowing what each directive does.

Features

  • 16 directives covered: default-src, script-src, style-src, img-src, font-src, connect-src, frame-src, media-src, object-src, frame-ancestors, form-action, base-uri, upgrade-insecure-requests, block-all-mixed-content, report-uri, report-to
  • Toggle each directive on/off
  • Click to add preset keyword values ('self', 'none', 'unsafe-inline', 'strict-dynamic') and common hosts (CDNs, Google Fonts, YouTube, etc.)
  • Custom source input — add any URL or source expression
  • Unsafe warning — highlights when 'unsafe-inline' or 'unsafe-eval' is present
  • 4 quick presets: Strict, Moderate, SPA/CDN, API Only
  • Syntax-highlighted output with one-click copy (full header or value only)
  • Usage examples — HTTP header format and HTML meta tag format
  • Zero dependencies, single HTML file

Presets

Strictdefault-src 'none' with explicit allowlists per resource type. No unsafe-inline anywhere. Good baseline for new projects.

Moderatedefault-src 'self' with unsafe-inline in script-src and style-src (for legacy code). More permissive but still blocks third-party scripts by default.

SPA / CDN — Allows jsdelivr, unpkg, Google Fonts. Good starting point for apps that use CDN-hosted libraries.

API Only — Locks down everything except connect-src. For pure API endpoints that serve no HTML.

Tech

  • Pure Vanilla JS, no build step
  • 81 unit tests with Node.js assert
  • Deployed on Cloudflare Pages

Try it

👉 CSP Generator

All devnestio tools: https://devnestio.pages.dev

Feedback welcome — if a common host or use case is missing from the presets, let me know in the comments!

Top comments (0)