Content Security Policy
Hello CSP
Examples
Try loading local and external images
Content-Security-Policy: img-src 'self'
Try loading images over HTTP and HTTPS
Content-Security-Policy: img-src https:
Report the CSP violation
Content-Security-Policy: default-src 'self'; report-uri /CSP/CSPViolationReport
Report the CSP violation to Report-uri.io
Content-Security-Policy: default-src 'self'; report-uri https://securenu.report-uri.io/r/default/csp/enforce
Page with no nonce Page with incomplete nonce and Page with working nonce policy
default-src 'self'; style-src 'nonce-{nonce}'; script-src 'nonce-{nonce}'; img-src 'self' code.jquery.com;
Directive Reference
| Directive | Example Value | Description |
|---|---|---|
default-src |
'self' cdn.example.com |
The default-src is the default policy for loading content such as JavaScript, Images, CSS, Font's, AJAX requests, Frames, HTML5 Media
See the Source List Reference for possible values.
|
script-src |
'self' js.example.com |
Defines valid sources of JavaScript. |
style-src |
'self' css.example.com |
Defines valid sources of stylesheets. |
img-src |
'self' img.example.com |
Defines valid sources of images. |
connect-src |
'self' |
Applies to XMLHttpRequest (AJAX), WebSocket or EventSource. If not allowed the browser emulates a 400 HTTP status code.
|
font-src |
font.example.com |
Defines valid sources of fonts. |
object-src |
'self' |
Defines valid sources of plugins, eg <object>, <embed> or <applet>.
|
media-src |
media.example.com |
Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements.
|
frame-src |
'self' |
Defines valid sources for loading frames. |
sandbox |
allow-forms allow-scripts |
Enables a sandbox for the requested resource similar to the iframe sandbox attribute. The sandbox applies a same origin policy, prevents popups, plugins and script execution is blocked.
You can keep the sandbox value empty to keep all restrictions in place, or add values: allow-forms allow-same-origin allow-scripts, and allow-top-navigation
|
report-uri |
/some-report-uri |
Instructs the browser to POST a reports of policy failures to this URI. You can also append -Report-Only to the HTTP header name to instruct the browser to only send reports (does not block anything).
|
Source List Reference
| Source Value | Example | Description |
|---|---|---|
* |
img-src * |
Wildcard, allows anything. |
'none' |
object-src 'none' |
Prevents loading resources from any source. |
'self' |
script-src 'self' |
Allows loading resources from the same origin (same scheme, host and port). |
data: |
img-src 'self' data: |
Allows loading resources via the data scheme (eg Base64 encoded images). |
domain.example.com |
img-src img.example.com |
Allows loading resources from the specified domain name. |
*.example.com |
img-src *.example.com |
Allows loading resources from the any subdomain under example.com. |
https://img.example.com |
img-src https://img.example.com |
Allows loading resources only over HTTPS matching the given domain. |
https: |
img-src https: |
Allows loading resources only over HTTPS on any domain. |
'unsafe-inline' |
script-src 'unsafe-inline' |
Allows use of inline source elements such as style attribute, onclick, or script tag bodies (depends on the context of the source it is applied to) |
'unsafe-eval' |
script-src: 'unsafe-eval' |
Allows unsafe dynamic code evaluation such as JavaScript eval() |