$loading...
Build a Content-Security-Policy header from per-directive controls with self/none/unsafe-inline toggles, custom hosts, and inline warnings for weak choices like unsafe-inline and wildcards.
Compose a CSP header per directive for hardening your own (authorized) apps.
default-srcFallback for fetch directivesscript-srcJavaScript sourcesstyle-srcStylesheet sourcesimg-srcImage sourcesconnect-srcXHR / fetch / WebSocketfont-srcFont sourcesframe-srcEmbedded frame sourcesframe-ancestorsWho may embed this pagedefault-src 'self'