CentralCSP
Register

Main menu

All articles

Next Article

How to use the Content-Security-Policy (CSP) Builder

How to build the best Content-Security-Policy (CSP)

Sunday, July 27, 2025
7 min read
Theotime QuereTheotime Quere
Content Security Policy (CSP) is a powerful security standard designed to help protect your website from a wide range of threats, including Cross-Site Scripting (XSS), data injection, and other code execution attacks. By specifying which sources of content are trusted and allowed to load on your site, CSP acts as a security layer that prevents malicious scripts and resources from being executed in your users' browsers.

In this article, we will see how to implement the best Content-Security-Policy for your website, ensuring compliance with the latest security standards and best practices for security and easy maintenances.

How to get started with Content-Security-Policy?

The first step when starting to implement the content-security-policy is to understand what is the current state of the policy on your website.

If you already have a CSP policy

You can use CentralCSP's free scanner to audit your current CSP policy.
Scan your website with this free online CSP scanner

If you do not have a CSP policy

The following policy is a good starting point, this implement all the basic directives and it is quite restrictive. 
Content-Security-Policy-Report-Only: 
default-src 'self';
script-src 'self' 'report-sample';
style-src 'self';
img-src 'self';
font-src 'self';
object-src 'none';
base-uri 'none';
form-action 'none';
frame-ancestors 'none';
frame-src 'self';
connect-src 'none';
upgrade-insecure-requests;
report-uri https://report.centralcsp.com/<myendpoint>;

How to implement the CSP policy?

The content-security-policy is implemented using the Content-Security-Policy header in the HTTP response headers. Depending on the server or framework you are using, the implementation will be different.

Web Servers

This list includes software that directly handles HTTP requests from the internet.

Nginx

A high-performance web server and reverse proxy. The CSP header is added using the add_header directive in your site's configuration file. 
server {
  add_header Content-Security-Policy "default-src 'self'; ";
  location /specific-location {
      add_header Content-Security-Policy "default-src 'self'; ";
  }
}

Apache

A widely used open-source web server. The CSP header is set using the mod_headers module, typically in a .htaccess file or the main server configuration.
See the official documentation 
Header set Content-Security-Policy "default-src 'self';"

Traefik

A modern reverse proxy and load balancer. The CSP header is set using the traefik.http.middlewares.csp.headers.contentsecuritypolicy configuration.
See the official documentation 
traefik.http.middlewares.csp.headers.contentsecuritypolicy: "default-src 'self';"

Web Frameworks

This list includes toolkits and libraries used to build web applications. The CSP is typically set within the application's code or configuration.

Nuxt

A framework for building Vue.js applications. You can set the CSP header globally using route rules in your nuxt.config.ts file or by using the dedicated nuxt-security module.
See the official documentation

Express

A minimal and flexible back-end web framework for Node.js. The recommended way to set CSP is with the Helmet middleware. 
const express = require("express");
const app = express();

// middleware to set the Content-Security-Policy header
app.use("/", (req, res, next) => {
      // setting the Content-Security-Policy header
      res.setHeader("Content-Security-Policy", "default-src 'self';"); 
      // next middleware or route handler
      next();
});

Django

A high-level Python web framework. While you can create a custom middleware, the standard approach is to use the django-csp library to manage CSP headers.

Django do not provide a built-in CSP middleware, but you can use the django-csp library to implement it.
Library to implement CSP in Django

Next.js

A React framework for production. You can configure CSP and other headers in the next.config.js file for all routes.
See the official documentation

Laravel

A PHP web framework with expressive, elegant syntax. The common method is to use a middleware. The spatie/laravel-csp package is a popular and robust solution.
See the official documentation

Angular

A TypeScript-based web application framework. The recommended way to set CSP is with the httpHeaders configuration.
See the official documentation

How start improving the CSP policy?

For now we only have a Content-Security-Policy-Report-Only header. This do not block anything and is just used to report the violations whenever something should have been blocked.

As we need to get all the reports, we need to implement a report-only endpoint to collect the reports and build a custom policy. To do so, you can use the report-uri directive in the CSP header.
See how to implement a report-only endpoint 
...
report-uri https://report.centralcsp.com/<myendpoint>;

How to build the CSP policy?

Now that we have a report-only endpoint, we can start building the CSP policy.

Step 1: Build your CSP using CentralCSP's Builder

Once you have violation data, use CentralCSP's CSP Builder to generate a policy based on actual usage patterns.
Access the CSP Builder
CentralCSP CSP Builder interface
CentralCSP CSP Builder - Generate policies from violation data

How the Builder works:

  1. Import your violation reports from CentralCSP
  2. Review each blocked resource and add the necessary domains to the appropriate directives
  3. Add all best practices to the policy
  4. Allow you to review each value and see make sure it's ready for production
The Builder guides you through each decision, ensuring you understand why each resource is being allowed or blocked.

Step 2: Validate your new CSP

Before deploying to production, validate your policy using our CSP Scanner.

The scanner will check:
  • ✅ No unsafe keywords present
  • ✅ Proper directive structure
  • ✅ Appropriate source lists
  • ✅ Security best practices followed

Scan Your Website Now

Instantly analyze your website's Content Security Policy. Get actionable insights and improve your security posture in minutes.

Scan Your Website

Enter your website URL to analyze its Content Security Policy configuration.

Get started now by providing your website URL and launch the scan!

Your website is not yet online?
Try our CSP Evaluator

Step 3: Deploy and monitor

Once validated, deploy your CSP in production in enforce mode and set up ongoing monitoring.

Conclusion

Deploying a content-security-policy isn't an easy task, but with the right tools and a structured approach, you can achieve robust security without sacrificing functionality. Remember, CSP is not a one-time setup: review and update your policy regularly as your website evolves to maintain the highest level of protection.

Continue Reading

Stay safe, no more unsafe-inline

Learn more about unsafe-inline and how to properly setup your CSP to avoid using it.

2024-12-03
5 min read
Theotime QuereTheotime Quere
Read more

Get started with CSP

Learn how to properly setup your CSP to ensure a secure configuration, see how to setup the CSP with HTTP headers and meta tags the right way. Learn more about CSP best practices.

2024-12-03
5 min read
Theotime QuereTheotime Quere
Read more

Main menu

All articles

Theotime Quere

Written by

Theotime Quere