Content Security Policy Builder

This service helps you in building and debugging a complete Content Security Policy for your website. It receives your CSP violation reports and optimizes your CSP settings.

How CSP works?

CSP is a web security feature that prevents a wide range of attacks such as Cross-Site Scripting, clickjacking and others. Website owner sets a HTTP header Content-Security-Policy describing what (images, scripts, frames...) exactly can be loaded and from where.

Building a full CSP is tricky, especially if you use external scripts — like advertisements or social plugins. One external JavaScript file can load another ones and create new frames, that will load yet another scripts and so on. CspBuilder.info is an attempt to simplify these iterations and make them as fast as possible.

How to start new policy?

  1. Add this unique CSP header to you web application (examples for Ruby, Django, PHP IIS Nginx Apache ASP.NET )
    Content-Security-Policy-Report-Only: default-src 'none'; script-src 'none'; style-src 'none'; img-src 'none'; connect-src 'none'; font-src 'none'; object-src 'none'; media-src 'none'; frame-src 'none'; sandbox; report-uri http://cspbuilder.info/report/1481813497205502928/

    This CSP would block everything, but it's in report only mode so it won't break anything.

  2. Go to your website, refresh, load all pages, test dynamic code etc.

    Any items that would be blocked by teh CSP, will be now reported to our CSP receier.

  3. Go to your custom analysis URL

    Based on what would be blocked, we will propose a new policy allowing those items.

  4. Update CSP header in your application, go to item 2.

Each time you visit this page new unique identifier is generated. All received alerts will be deleted after one week.

See how it works

Firefox note

Firefox has a not very well thought security feature, which prevents the browser from sending reports to external CSP collectors. You will be seeing Content Security Policy: The report URI must be from the same eTLD+1 in Firefox when using CspBuilder. If you still want to use CspBuilder you can set up CNAME (e.g. csp.example.com) and contact me and I'll set up a virtual host on my side.

Resources