CSP Header Generator — Build a Strict Content-Security-Policy

Why Content-Security-Policy matters

Content-Security-Policy is the single most powerful HTTP header you can set. A well-configured CSP blocks cross-site scripting attacks at the browser level — even if your code is vulnerable. It tells the browser exactly which scripts, styles, images, fonts, and connections are allowed. Anything outside that whitelist is blocked and reported.

According to Google's own research, a strict CSP with nonces or hashes eliminates over 95% of reflected and stored XSS risk. Yet fewer than 12% of production websites have any CSP at all, and fewer than 2% have a strict one. The reason: building a CSP by hand is tedious and error-prone.

That is the problem ScanMyVibe's CSP generator solves.

How the CSP header generator works

ScanMyVibe crawls your site, watches every script, style, image and connect-src your pages actually use, then builds a CSP that allows exactly those sources and nothing more. The output is a ready-to-paste header that you can drop into your framework.

Paste your URL. We scan the main pages and inventory every external and inline resource.
Review the detected sources. Every domain, inline script, and event handler is listed with a reason.
Choose your strictness. Report-Only for testing, Enforce for production, Strict with nonces for maximum security.
Copy the header. Pick your stack — Next.js, Express, Fastify, nginx, Apache, Cloudflare Workers — and paste.
Deploy and verify. Re-scan with ScanMyVibe to confirm CSP is enforced correctly and no legitimate traffic is broken.

Example CSP headers by stack

Next.js 15 (app/layout.tsx or middleware):

headers: [
  {
    key: 'Content-Security-Policy',
    value: "default-src 'self'; script-src 'self' 'nonce-{NONCE}'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.scanmyvibe.co"
  }
]

Express / Node:

import helmet from 'helmet'
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'", "'nonce-RANDOM'"],
    styleSrc: ["'self'", "'unsafe-inline'"],
    imgSrc: ["'self'", 'data:', 'https:'],
  },
}))

nginx:

add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;" always;

The generator produces equivalent snippets for Cloudflare Workers, Apache, Caddy, Fastify, and Netlify _headers.

CSP directives explained

A CSP is a list of directives. The most important ones:

→ default-src — the fallback for every other directive. Set to 'self' by default.
→ script-src — where scripts can load from. Use 'nonce-X' or 'strict-dynamic' for strict mode.
→ style-src — where stylesheets can load from. 'unsafe-inline' is common but weakens protection.
→ img-src — where images can load from. data: is usually safe.
→ connect-src — where fetch, XHR and WebSockets can connect. Lock this down to your API domains.
→ frame-ancestors — who can embed your site in an iframe. Use 'none' unless you need embedding.
→ object-src — set to 'none' to block Flash and plugins.
→ base-uri — set to 'self' to prevent base tag injection.
→ form-action — restricts where forms can submit. Set to 'self'.
→ upgrade-insecure-requests — forces HTTPS on every subresource.

Report-Only mode and rollout strategy

The right way to ship a CSP: start in Report-Only mode, collect violations for a week, fix real issues, then switch to Enforce. ScanMyVibe generates both header variants and gives you a report endpoint to collect violations for free.

Deploy Content-Security-Policy-Report-Only with the generated policy.
Monitor real violations for 3–7 days on staging and production.
Whitelist any legitimate sources the scanner missed.
Switch the header to Content-Security-Policy (enforcing).
Re-scan with ScanMyVibe to verify enforcement and a clean bill of health.

Common CSP mistakes to avoid

→ Using 'unsafe-inline' for scripts. This defeats the purpose of CSP. Use nonces or hashes instead.
→ Using 'unsafe-eval'. Rarely needed. If you depend on it, refactor — it enables eval-based XSS.
→ Setting default-src *. Allows everything. Worse than no CSP at all.
→ Forgetting frame-ancestors. Without it, your site can be framed and clickjacked.
→ Whitelisting overly broad CDNs. Allowing https: gives every HTTPS site a script license on yours.
→ Skipping Report-Only. Going straight to enforce on production breaks real users.

Read the full guide in our blog post on HTTP security headers in 2026.

Frequently asked questions

What is a CSP header generator?

A tool that analyses your website and produces a Content-Security-Policy header that allows only the sources your real traffic uses, blocking everything else. Prevents most XSS attacks.

Is ScanMyVibe’s CSP generator free?

Yes. Generation and testing are free. Continuous violation reporting is included on the Pro tier.

Do I need CSP if I already have X-Frame-Options?

Yes. CSP is strictly more powerful. frame-ancestors in CSP replaces X-Frame-Options, and script-src blocks XSS that X-Frame-Options cannot touch.

Will CSP break my site?

It can if set too strict. Always start with Report-Only, collect real violations for a week, then switch to enforce.

What is a CSP nonce?

A random one-time token generated per request and attached to inline scripts. Scripts without the right nonce are blocked. It is the recommended way to allow inline scripts safely.

Does Next.js support CSP nonces?

Yes — generate a nonce in middleware, forward it as a header, and attach it to inline scripts. ScanMyVibe outputs a ready-to-paste Next.js middleware snippet.

How do I test my CSP after deploying?

Re-scan your URL with ScanMyVibe — we show the enforced CSP, flag weak directives, and simulate browser evaluation.

/ READY TO SCAN

Generate a CSP that actually works

Let ScanMyVibe analyse your site, build a strict CSP, and export the exact header for your stack.

GENERATE MY CSP →