🛡 Content Security Policy

Configure CSP directives and see which attacks are blocked vs allowed

⚙️ Build Your CSP Header

Content-Security-Policy: loading...

💥 Attack Simulator — Select an attack to test against your policy

🖥 Browser Console:
CSP simulation ready
Directive What it controls Recommended value Without it
default-srcFallback for all resources'self'All origins allowed
script-srcJavaScript sources'self' 'nonce-xxx'Inline scripts run (XSS!)
style-srcCSS sources'self' 'nonce-xxx'CSS injection possible
img-srcImage sources'self' data: https:Tracking pixels from anywhere
connect-srcfetch/XHR destinations'self' https://api.example.comData exfiltration via fetch
frame-ancestorsWho can embed you (clickjacking)'none'Clickjacking attacks work