CSP Framework Examples
Copy-paste Content Security Policy configurations for popular frameworks and platforms. Each example is a tested starting point — customize it for your specific third-party services.
CSP Header Builder
Build Content Security Policy headers visually with framework presets, security analysis, and multi-format output.
Directives
Fetch Directives
Document Directives
Navigation Directives
Output Format
Generated Policy
Content-Security-Policy: upgrade-insecure-requests
Security Analysis
Policy Stats
Next.js CSP configuration
In Next.js, set CSP headers in next.config.js using the headers() function, or in middleware.ts for dynamic nonce-based CSP. Next.js requires 'unsafe-eval' for development hot reload and 'unsafe-inline' for styled-jsx. For production, use nonces with 'strict-dynamic' for the strongest policy.
// Next.js — CSP in next.config.js
const cspHeader = `
default-src 'self';
script-src 'self' 'unsafe-eval' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
img-src 'self' blob: data:;
`;
// Express middleware
app.use((req, res, next) => {
res.setHeader("Content-Security-Policy",
"default-src 'self'; script-src 'self'");
next();
});
// Nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
// Vercel (vercel.json)
{ "headers": [{ "key": "Content-Security-Policy", "value": "default-src 'self'" }] }Nginx and Apache CSP headers
In Nginx, use: add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always; — the 'always' flag ensures the header is sent on error pages too. In Apache, use: Header always set Content-Security-Policy "default-src 'self'; script-src 'self'". Place these in your server block or .htaccess respectively.
Vercel and Netlify CSP headers
On Vercel, add headers in vercel.json under the headers array with a source pattern. On Netlify, use the [[headers]] section in netlify.toml or a _headers file. Both platforms support wildcards for applying CSP across all routes.
Frequently Asked Questions
Why does my Next.js app break with a strict CSP?
Next.js uses inline scripts for hydration and CSS-in-JS libraries often inject inline styles. You need 'unsafe-inline' for style-src and either nonces or 'unsafe-eval' for script-src. Use the Next.js CSP preset in the builder as a starting point.
How do I add CSP to Nginx?
Add this to your server block: add_header Content-Security-Policy "your-policy-here" always; The 'always' keyword ensures the header is sent even on error responses (404, 500). Test with Content-Security-Policy-Report-Only first.
Can I use CSP with a CDN like Cloudflare?
Yes. Set CSP at your origin server. CDNs pass through response headers by default. Some CDNs (Cloudflare Workers, Vercel Edge) also let you add or modify headers at the edge. Make sure your CSP allows your CDN's domain in the relevant directives.
Related Generate Tools
Box Shadow Generator
Design CSS box shadows visually with multiple layers, presets, and live preview
Flexbox Generator
Build CSS flexbox layouts visually with live preview, item config, and presets
Grid Generator
Build CSS grid layouts visually with columns, rows, gap, item placement, and presets
Border Radius Generator
Design CSS border-radius visually with per-corner controls, unit selection, and presets