静的サイト向けCSPポリシージェネレーター

ツールを読み込み中...

静的サイト向けCSPポリシージェネレーターとは

静的サイト向けCSPポリシージェネレーターは、CDN、アナリティクス、フォント、埋め込みオプション付きの静的サイト向けContent-Security-Policyヘッダーを生成します。出力は公開サイトに使う前に確認しやすい形で表示されます。

Quick answer

A Content Security Policy blocks cross-site scripting and data injection attacks by restricting which resources the browser can load. Start with a restrictive policy and widen only when needed.

Limitations

CSP does not protect against server-side vulnerabilities or compromised third-party libraries already included in the policy.
Inline event handlers and javascript: URLs are blocked unless 'unsafe-inline' or a hash/nonce is set.
GitHub Pages does not support custom HTTP headers; use a meta tag-based CSP instead, which has limited directive support compared to the HTTP header.

使い方

必要な値を入力します。
結果パネルの出力を確認します。
ページに合う部分だけコピーします。
公開前にブラウザとホスティング環境で確認します。

主な用途

公開前の繰り返し作業を短くする。
マークアップ、CSS、チェックリストを準備する。
静的サイトで見落としやすい小さなミスを減らす。

よくあるミス

出力を確認せず本番に入れる。
公開URLではなくローカルURLを使う。
build後に公開フォルダ内のファイルを確認しない。

Verification

Deploy the CSP in report-only mode first by using Content-Security-Policy-Report-Only and check the browser console for violation reports.
Switch to the enforce header only after confirming no legitimate resources are being blocked.

Comparison

CSP vs Permissions-Policy vs Referrer-Policy

Aspect	Content-Security-Policy	Permissions-Policy	Referrer-Policy
What it controls	Which resources (scripts, styles, images, fonts) the page can load and from which origins	Which browser features (camera, microphone, geolocation, payment) the page can access	How much referrer information is sent when the page navigates to or loads a resource from another origin
Example directives	default-src 'self'; script-src 'self' cdn.example.com; img-src *	camera=(), geolocation=(self), fullscreen=*	strict-origin-when-cross-origin, no-referrer, same-origin
Delivered as header or meta	Both. HTTP header is preferred. Meta tag works but does not support frame-ancestors or report-uri.	HTTP header only. Meta tag is not supported for Permissions-Policy.	Both. Meta tag works and is commonly used for static pages.
What happens if misconfigured	Resources are blocked. The page may appear broken with missing styles, scripts, or images.	Features silently fail. JavaScript calls to blocked APIs throw without visible browser UI.	Referrer data is sent with unintended detail or is missing when analytics need it.

CSP controls resource loading, Permissions-Policy controls feature access, and Referrer-Policy controls referrer data sent to other origins. They are complementary security headers that serve different purposes.

FAQ