Laravel Security

Generate a production-ready
Content Security Policy

Configure your directives, copy the middleware, deploy with confidence. No signup needed.

Nonce-based Vite-ready Livewire-aware Violation reporting 100% client-side
🔒
Strict
Minimal CDN allowlist. Best for new apps.
⚖️
Standard
Common CDNs, Google Fonts, GA4 ready.
💻
Local Dev
Vite HMR enabled, report-only on.
Configure
🌍 Environment
Local development
?
Adds Vite's HMR WebSocket to connect-src and removes upgrade-insecure-requests. Never ship this to production.
Enables Vite HMR WebSocket
Report-only mode
?
Uses Content-Security-Policy-Report-Only. Violations are reported but nothing is blocked. Run this for 1–2 weeks before enforcing.
Reports violations without blocking
Violation reporting
?
Adds report-uri to the policy. Set up CspReportController to receive and classify reports.
Sends blocked resource reports to your endpoint
Scripts
cdn.jsdelivr.net
cdnjs.cloudflare.com
Tawk.to live chat
embed.tawk.to
script-src customEnter to add
🎨 Styles
Google Fonts
?
Adds fonts.googleapis.com to style-src-elem and fonts.gstatic.com to font-src.
fonts.googleapis.com + fonts.gstatic.com
style-src-attr is always set to 'none' — inline style="" attributes cannot carry a nonce.
style-src customEnter to add
🖼 Images & Frames
img-srcEnter to add
frame-srcEnter to add
🔗 Connect & APIs

Controls fetch(), XHR, WebSockets and SSE. Vite HMR WebSocket is added automatically when local dev is on.

connect-src customEnter to add
🔌 Integrations
Google Analytics / GA4
Adds google-analytics.com to script-src + connect-src
Google Tag Manager
?
GTM custom HTML tags require unsafe-inline which weakens your policy. Consider server-side GTM instead.
Livewire
Adds nonce reminders to the checklist
HTTP Header
PHP Middleware
Checklist
Reference
Free PDF Guide
Laravel CSP Quick Reference

4 pages. Every directive, the checklist, common mistakes, and quick-start snippets — without keeping this tab open.

All 13 directives with values and plain-English descriptions
Pre-enforcement checklist — 12 items before enforcement
5 common mistakes and how to avoid them
Blade, Vite & Livewire quick-start snippets
PDF
laravel-csp-guide.pdf
4 pages · Free · Instant download
4 pages

No spam. Unsubscribe any time. PDF delivered immediately.

You're on the list
Thanks for signing up. Download the guide below.
↓ Download PDF
Why this tool
Everything you need to ship secure

Not just a header builder — a complete workflow from configuration to deployment.

🎯
Nonce-based by default
Every policy uses cryptographic nonces — never unsafe-inline. The middleware handles generation, Blade sharing, and Vite registration automatically.
🚨
Violation reporting included
The PHP output includes a complete reporting pipeline — route, controller, log channels, extension filtering, and threshold alerting.
Environment-aware
Local dev mode adds Vite's HMR WebSocket and removes upgrade-insecure-requests automatically. Nothing leaks to production.
📋
Dynamic checklist
The pre-enforcement checklist adapts to your config. Livewire items appear only when Livewire is on. Report-only mode tells you what to do next.
⚖️
Policy strength score
Real-time score from D to A+ that grades your policy on nonce usage, HTTPS enforcement, allowlist size, and reporting coverage.
🔒
Strict CSS directives
Correctly separates style-src, style-src-elem, and style-src-attr. style-src-attr is always set to 'none' — the only safe option.
Common questions
FAQ
A CSP is an HTTP response header that tells browsers which sources of scripts, styles, images, and other resources are allowed to load on your page. It's your primary defense against cross-site scripting (XSS) — if malicious code is injected into your HTML, the browser refuses to execute it because it doesn't come from an approved source.
Yes — always. Set Content-Security-Policy-Report-Only with a report-to endpoint first. Browsers log violations but block nothing. Run it in production for 1–2 weeks, review the reports, fix any legitimate sources, then switch to enforcement mode.
Yes, but carefully. Add the CDN hostname to the correct directive — e.g. script-src cdn.example.com. Avoid 'unsafe-inline' or * wildcards — they defeat the purpose. For extra protection, add Subresource Integrity (SRI) hashes to your <script> and <link> tags.
It can — if you have inline scripts or styles without nonces. Use Report-Only mode first. The browser reports violations but blocks nothing. Run it for a week, fix your templates, then enforce.
Two things. First, make sure Vite::useCspNonce($nonce) is called before $next($request). Second, make sure connect-src includes ws://localhost:5173 in your local environment. Enable Local Dev mode above — it handles both.
Yes. They protect against different attacks. CSRF prevents forged requests from other domains. CSP prevents injected scripts from running on your domain. One doesn't substitute for the other.
report-uri is the original, widely supported mechanism. Report-To is the newer Reporting API — reports are batched and the endpoint is cached. Use both for maximum coverage, or use report-uri.com as a hosted alternative.
For Livewire v2: @livewireScripts(['nonce' => $cspNonce]). For Livewire v3: @livewireScriptConfig(['nonce' => $cspNonce]). Enable the Livewire integration above and the checklist will remind you.