Should I use report-only mode first?

Yes, always. Deploy Content-Security-Policy-Report-Only first. Violations appear in the browser console without blocking anything. Switch to enforcing once violations stop.

Can I generate a CSP automatically from my live page?

Yes. CSPFixer fetches your page, finds all script, style, font, and image sources, and generates a working policy automatically. No manual source hunting required.

How to Generate a Content Security Policy Without Breaking Your Site

Updated April 2026

Quick Answer Generate a Content Security Policy by scanning your live page: CSPFixer fetches all your resource URLs and outputs a policy with the right directives. Always deploy as Content-Security-Policy-Report-Only first — this shows violations in the browser console without blocking anything. Switch to enforcing once violations stop.

A Content Security Policy blocks everything not explicitly allowed. Add one without scanning your page first and you will break your site. Here is the safe approach.

Two ways to generate a CSP

Option 1 — Scan your live URL (best for existing sites)

CSPFixer fetches your page, finds every script, style, font, and image source, and generates a working CSP automatically:

Generate CSP from live URL → CSPFixer

Option 2 — Build from scratch (best for new sites)

Select which third-party services you use (Google Analytics, Stripe, Intercom, etc.) and the generator builds the exact directives:

CSP Generator →

Always start in report-only mode

Before enforcing any CSP, deploy it as Content-Security-Policy-Report-Only. Violations appear in the browser console but nothing is blocked. You can find missing sources without breaking anything.

# Nginx — report-only mode
add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' https://www.googletagmanager.com;" always;

# Enforce once violations stop appearing
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://www.googletagmanager.com;" always;

Minimum viable CSP

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; frame-ancestors 'none'; object-src 'none'; base-uri 'self';

This blocks all external resources. Add sources incrementally as you identify what your page needs.

Common sources to add

Service	script-src	connect-src
Google Analytics 4	https://www.googletagmanager.com	https://www.google-analytics.com
Google Fonts	—	— (style-src: https://fonts.googleapis.com, font-src: https://fonts.gstatic.com)
Stripe	https://js.stripe.com	https://api.stripe.com
Intercom	https://js.intercomcdn.com	https://api.intercom.io
Hotjar	https://static.hotjar.com	https://*.hotjar.com
Cloudflare Turnstile	https://challenges.cloudflare.com	—

The unsafe-inline problem

unsafe-inline in script-src defeats XSS protection entirely — it allows any inline script to run, including injected ones. Avoid it for scripts. For styles, unsafe-inline in style-src is less dangerous and often required for CSS-in-JS frameworks.

If you need inline scripts, use nonces instead:

script-src 'self' 'nonce-RANDOM_VALUE_PER_REQUEST'

Testing your CSP

Open DevTools → Console — CSP violations appear as errors
Open DevTools → Network — blocked requests show as cancelled
Use CSPFixer to scan your URL and see what is missing from your current policy