CSP Policy Builder

Score drops to ‘Risky' after enabling 'unsafe-inline'

Allowing inline scripts or styles defeats the purpose of CSP — any reflected XSS now executes.

Fix: Replace 'unsafe-inline' with `'nonce-RANDOM'` (per-request) or `'sha256-...'` (per-snippet) hashes.

Browser ignores the header

CSP is case-sensitive on values and a stray semicolon can silently end the policy.

Fix: Use the Header tab to copy the exact serialized form; the builder normalises spacing and ordering for you.

frame-ancestors 'self' but page still embeds in iframe

Older browsers fall back to the `X-Frame-Options` header; some CDNs strip CSP on cached responses.

Fix: Set both `frame-ancestors 'self'` and `X-Frame-Options: SAMEORIGIN`, and verify the cache layer forwards security headers.

What does the score actually measure?

It runs the live policy through the same parser that the HTTP Header Inspector uses, then deducts points for every classic CSP weakness: missing default-src, missing frame-ancestors / base-uri, presence of `'unsafe-inline'` / `'unsafe-eval'`, wildcard `*` source lists, and missing object-src or upgrade-insecure-requests. The exact rules are open source in `lib/tools/security/csp-parser.ts`.

Should I ship CSP as a header or as a meta tag?

Always prefer the header — it covers more directives (`frame-ancestors` and `report-to` are header-only) and applies before any HTML parses. The meta tag is for static exports where you can't control headers; the builder generates both so you can copy whichever your deploy target supports.

How do I use nonces with this builder?

Paste the literal nonce value with the `'nonce-...'` quote syntax into the custom-source input on the script-src or style-src card (e.g. `'nonce-AbCdEf123='`). Generate a fresh nonce on each request server-side; the builder doesn't randomise for you because the nonce must match the one your server sets in the HTML.

Will the builder validate my CSP against my actual site?

No — validation requires loading your site in a browser. Pair this builder with the report-only header (`Content-Security-Policy-Report-Only`) and a reporting endpoint to collect real violations from production traffic before flipping enforcement on.

Is the `'strict-dynamic'` source enabled by default?

It is in the Moderate preset for `script-src`. `'strict-dynamic'` lets a trusted top-level script load further scripts dynamically without listing every URL, but it ignores host-based sources entirely in CSP3 browsers — that trade-off is why it's not in the Strict preset.

Does the builder support the new Trusted Types directive?

Not yet. Trusted Types (`require-trusted-types-for 'script'` and `trusted-types ...`) are in active rollout; we will add them to the standalone-directives section once browser support is stable across Safari and Firefox.