Content Security Policy Builder

Switch on the directives you need, pick their sources, copy the header. Start strict and loosen only where the page genuinely loads from.
Content-Security-Policy header value
default-src 'self'
Deploy this in report-only mode first to see what it would block before it blocks anything. The unsafe-inline and unsafe-eval sources weaken the policy and are flagged; avoid them unless a real need is documented.