Content-Security-Policy

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site_scripting).


Syntax

Content-Security-Policy: <policy-directive>; <policy-directive>

where <policy-directive> consists of: <directive> <value> with no internal punctuation.


Directives

Fetch directives

  • child-src - Defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>.
  • connect-src - Restricts the URLs which can be loaded using script interfaces.
  • default-src - Serves as a fallback for the other fetch directives.
  • font-src - Specifies valid sources for fonts loaded using @font-face.
  • frame-src - Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.
  • img-src - Specifies valid sources of images and favicons.
  • manifest-src - Specifies valid sources of application manifest files.
  • media-src - Specifies valid sources for loading media using the <audio>, <video> and <track> elements.
  • object-src - Specifies valid sources for the <object>, <embed>, and <applet> elements.
  • prefetch-src - Specifies valid sources to be prefetched or prerendered.
  • script-src - Specifies valid sources for JavaScript and WebAssembly resources.
  • script-src-elem - Specifies valid sources for JavaScript <script> elements.
  • script-src-attr - Specifies valid sources for JavaScript inline event handlers.
  • style-src - Specifies valid sources for stylesheets.
  • style-src-elem - Specifies valid sources for stylesheets <style> elements and <link> elements with rel="stylesheet".
  • style-src-attr - Specifies valid sources for inline styles applied to individual DOM elements.
  • worker-src - Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.


Document directives

  • base-uri - Restricts the URLs which can be used in a document's <base> element.
  • sandbox - Enables a sandbox for the requested resource similar to the <iframe> sandbox attribute.


Navigation directives

  • form-action - Restricts the URLs which can be used as the target of a form submissions from a given context.
  • frame-ancestors - Specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.
  • navigate-to - Restricts the URLs to which a document can initiate navigation by any means, including <form> (if form-action is not specified), <a>, window.location, window.open, etc.


Reporting directives

  • report-uri - Instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.
  • report-to - Fires a SecurityPolicyViolationEvent.


Other directives

  • require-sri-for - Requires the use of SRI for scripts or styles on the page.
  • require-trusted-types-for - Enforces Trusted Types at the DOM XSS injection sinks.
  • trusted-types - Used to specify an allow-list of Trusted Types policies. Trusted Types allows applications to lock down DOM XSS injection sinks to only accept non-spoofable, typed values in place of strings.
  • upgrade-insecure-requests - Instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for websites with large numbers of insecure legacy URLs that need to be rewritten.


Deprecated directives

  • block-all-mixed-content - Prevents loading any assets using HTTP when the page is loaded using HTTPS.
  • plugin-types - Restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.
  • referrer - Used to specify information in the Referrer (sic) header for links away from a page. Use the Referrer-Policy header instead.


Values

Keyword values

  • none - Won't allow loading of any resources.
  • self - Only allow resources from the current origin.
  • strict-dynamic - The trust granted to a script in the page due to an accompanying nonce or hash is extended to the scripts it loads.
  • report-sample - Require a sample of the violating code to be included in the violation report.


Unsafe keyword values

  • unsafe-inline - Allow use of inline resources.
  • unsafe-eval - Allow use of dynamic code evaluation such as eval, setImmediate, and window.execScript.
  • unsafe-hashes - Allows enabling specific inline event handlers.


Hosts values

  • Host - Only allow loading of resources from a specific host, with optional scheme, port, and path. e.g. example.com, *.example.com, https://*.example.com:12/path/to/file.js. | Path parts in the CSP that end in / match any path they are a prefix of. e.g. example.com/api/ will match URLs like example.com/api/users/new. | Other path parts in the CSP are matched exactly e.g. example.com/file.js will match http://example.com/file.js and https://example.com/file.js, but not https://example.com/file.js/file2.js.
  • Scheme - Only allow loading of resources over a specific scheme, should always end with :. e.g. https:, http:, data: etc.


Other values

  • nonce-* - A cryptographic nonce (only used once) to allow scripts. The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial. This is used in conjunction with the script tag nonce attribute. e.g. nonce-DhcnhD3khTMePgXwdayK9BsMqXjhguVV
  • sha*-* - sha256, sha384, or sha512. followed by a dash and then the sha* value. e.g. sha256-jzgBGA4UWFFmpOBq0JpdsySukE1FrEN5bUpoK8Z29fY=


Example

Using the HTTP header

Content-Security-Policy: default-src https:


Using the HTML meta element

<meta http-equiv="Content-Security-Policy" content="default-src https:" />