Directives
Generated CSP
Header Format
Content-Security-Policy: default-src 'self'
Meta Tag Format
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
Presets
Common Values
'self'
Same origin only
'none'
Block all
'unsafe-inline'
Allow inline scripts/styles
'unsafe-eval'
Allow eval()
https:
Any HTTPS URL
data:
Data URIs
blob:
Blob URIs
*.example.com
Wildcard subdomain