In development. RVNT is pre-release — not yet security-audited. Source code, public builds, and the iOS / App Store release aren’t available yet. See the roadmap →

Content-Security-Policy Builder

Build a CSP header visually.

Runs entirely in your browser — nothing you enter is uploaded, logged, or tracked.

A Content-Security-Policy header tells the browser which sources of scripts, styles, images and other content to trust — a strong defence against XSS and injection. Pick directives and their allowed sources to assemble a valid CSP, with a strict starter preset, and copy it as a header or a <meta> tag. Built entirely in your browser.

Preset:
HTTP header
<meta> tag

Common sources: 'self' 'none' 'unsafe-inline' https: data: — and any host like https://cdn.example.com.

Frequently asked questions

How do I use the policy?

Send it as a Content-Security-Policy HTTP response header (best) or add it as a <meta http-equiv> tag. Test with Content-Security-Policy-Report-Only first to catch breakage.

What is a good starting point?

A strict default-src 'self' plus explicit allowances for the sources you actually use. Avoid 'unsafe-inline' and 'unsafe-eval' where possible — they weaken the protection.

Is anything uploaded?

No — the policy is assembled in your browser from your selections.

Related tools

JSON Formatter Format, validate & minify JSON. Base64 Encoder / Decoder Encode & decode Base64, Unicode-safe. URL Encoder / Decoder Percent-encode & decode URLs.

Built by a privacy company

These tools never phone home — the same principle as RVNT itself: a post-quantum, end-to-end-encrypted, peer-to-peer messenger with no servers and no tracking.

Get RVNT All tools