Skip to main content
KX Toolkit
Sign in Get started
Text Analysis Tools 29 tools
Keyword Tools 14 tools
Backlink Tools 12 tools
Website Management Tools 20 tools
Meta Tag Tools 4 tools
Image Tools 25 tools
Password & Encryption 17 tools
Unit Converter Tools 24 tools
Website Tracking 7 tools
Domain Tools 5 tools
Calculators 14 tools
Developer Tools 33 tools
CSS Tools 14 tools
Color Tools 13 tools
Social Media Tools 17 tools
PDF Tools 10 tools
Productivity Tools 6 tools
Audio Tools 5 tools
Video Tools 3 tools
Bulk Tools 35 tools
View all tools on one page View all categories

CSP Generator from URL

Crawl a URL to discover all script/style/image/font origins, then generate a Content-Security-Policy header that won't break the site.

Developer Tools
We parse the HTML, group every script / style / image / font / iframe origin, and build a Content-Security-Policy header that won't break the page.

Crawl a URL to discover all script/style/image/font origins, then generate a Content-Security-Policy header that won't break the site.

This free CSP Generator from URL from KX Toolkit is part of our all-in-one online toolkit. It runs entirely in your browser, so your data never leaves your device for client-side operations. 100% free, forever - no paywall, no credit card, no trial.

How to use the CSP Generator from URL

  1. Paste your input - JSON, regex pattern, JWT, URL etc.
  2. Pick any flags or options the tool supports.
  3. Click the action button (Format, Test, Decode).
  4. Copy the result or download it as a file.

What you can do with the CSP Generator from URL

  • Format and validate API responses while debugging.
  • Test regex patterns against real input before deploying.
  • Decode JWTs to inspect claims and expiry.
  • Generate UUIDs for migrations, tests and seeders.

Why use KX Toolkit's CSP Generator from URL

  • Browser-based: Works on Windows, macOS, Linux, iOS and Android - no install, no extension.
  • Privacy-first: Client-side tools never upload your data; server-side tools delete files right after processing.
  • Mobile-friendly: Full feature parity on phones and tablets - not a stripped-down view.
  • Fast: Optimised for instant feedback. No artificial waiting screens, no email-gated downloads.
  • One hub for everything: 300+ tools across SEO, text, image, PDF, code, color, calculators and more - skip switching between sites.

Tips for the best results

Bookmark the most-used tools - your browser bookmark bar is faster than retyping the URL every time.

Related Developer Tools

If you find this tool useful, explore the full Developer Tools collection or browse our complete tool directory. KX Toolkit is built for marketers, developers, designers, students and anyone who needs a quick utility without signing up for yet another SaaS.

What does this CSP generator actually do?
It fetches your page's HTML, parses every <script src>, <link rel="stylesheet">, <img src>, <iframe src>, <source src> and font preload, then groups every external origin (scheme + host) by which CSP directive it falls under. The output is a copy-pasteable Content-Security-Policy header that allows exactly the assets your page already loads - so when you add it, the page keeps working.
Why does my generated CSP include 'unsafe-inline'?
Because we detected inline <script> or <style> tags in your HTML. If you remove 'unsafe-inline', those inline blocks will be blocked and the page will likely break (think: Google Tag Manager bootstrap, theme-toggle scripts, critical CSS). Toggle "Strict mode" on to drop 'unsafe-inline' and use nonces or hashes instead - you'll need to add a server-side nonce to every inline tag, but the security improvement is significant.
Will this CSP catch all my asset origins?
It catches every origin referenced in the rendered HTML at the moment we fetched it. What it misses: assets loaded dynamically by JavaScript (e.g. analytics that injects scripts at runtime), AJAX endpoints (connect-src), service workers, and resources behind authentication. Always test the generated header in report-only mode for a few days and watch the violation reports before enforcing.
How do I deploy a CSP without breaking my site?
Three steps. First, deploy the header as Content-Security-Policy-Report-Only (note the suffix) so violations are logged but not blocked. Second, set up a reporting endpoint with the report-uri or report-to directive and watch for unexpected origins for 7-14 days. Third, fold any legitimate missing origins back into the policy, then switch to the enforcing Content-Security-Policy header. Always keep report-only as a parallel canary.
What is the difference between strict mode and the default?
Default mode keeps 'unsafe-inline' (and 'unsafe-eval' if eval-like patterns are detected) so your existing page keeps working. Strict mode drops those keywords, which means inline scripts and styles will be blocked. In return you get protection against most XSS attacks. Strict mode is the right target - but only after you've refactored inline blocks to nonces or moved them to external files.
Why are some directives missing from my output?
We only emit directives we found evidence for in your HTML. If you have no <iframe> on the page, frame-src is omitted. If there is no font preload or @font-face URL, font-src is omitted. The browser falls back to default-src for any missing directive, so unused directives don't cost you anything - but be aware that your real app may use connect-src for fetch / WebSocket calls that don't appear in static HTML.

No reviews yet

Be the first to share your experience with the CSP Generator from URL.

Developer Tools
View all

JSON Formatter

Validate, format, and minify JSON data.

JSON Editor

Edit and explore JSON with a live split-panel code and tree view editor.

HTML Formatter

Beautify and format HTML code with proper indentation.

CSS Formatter

Beautify and format CSS code with proper indentation.

JavaScript Formatter

Beautify and format JavaScript code with proper indentation.

CSS Minifier

Minify CSS code to reduce file size.