Content-Security-Policy HTTP Header

Content-Security-Policy

The content security policy allows the server to determine what resources the user is allowed to load.

Accepted Values

Multiple values are allowed, seperated by a semi-colon. Some options take a value, and that is preceded with a space after the option. Multiple values are supported.
base-uri

Define what can be used in the base element.

base-uri <content-security-policy>
block-all-mixed-content

Prevent mixed content access.

child-src

Define sources for web works and frames.

child-src <content-security-policy>
connect-src

Define sources for script interfaces.

connect-src <content-security-policy>
default-src

Fallback for all fetches.

default-src <content-security-policy>
font-src

Define sources for fonts.

font-src <content-security-policy>
form-action

Define what can be used as the target for forms.

form-action <content-security-policy>
frame-ancestors

Define valid parents for frame, iframe, embed, object, and applet.

frame-ancestors <content-security-policy>
frame-src

Define sources for frames.

frame-src <content-security-policy>
img-src

Define sources for images and favicons.

img-src <content-security-policy>
manifest-src

Define sources for manifest files.

manifest-src <content-security-policy>
media-src

Define sources for audio, video, and track elements.

media-src <content-security-policy>
navigate-to

Define navigation restrictions by any means.

navigate-to <content-security-policy>
object-src

Define sources for object, embed, and applet elements.

object-src <content-security-policy>
plugin-types

Define what plugins can be embedded and loaded.

plugin-types <content-security-policy>
prefetch-src

Define sources to be prefetched.

prefetch-src <content-security-policy>
referrer

Control the referer header.

referrer <content-security-policy>
report-to

Fire a SecurityPolicyViolationEvent.

report-to <content-security-policy>
report-uri="<url>"

URI for violation reports.

report-uri="https://yourwebsite.com/url"
require-sri-for

Require SRI for scripts and styles.

require-sri-for <content-security-policy>
require-trusted-types-for

Enforce trusted types for DOM XSS.

require-trusted-types-for <content-security-policy>
sandbox

Enables sandboxing for the resources.

sandbox <content-security-policy>
script-src

Define sources for JavaScript.

script-src <content-security-policy>
script-src-attr-src

Define sources for inline JavaScript event handlers.

script-src-attr-src <content-security-policy>
script-src-elem

Define sources for script elements.

script-src-elem <content-security-policy>
style-src

Define sources for stylesheets.

style-src <content-security-policy>
style-src-elem

Define sources for style and stylesheet link elements.

style-src-elem <content-security-policy>
trusted-types

Allow certain trusted types.

trusted-types <content-security-policy>
upgrade-insecure-requests

Treat insecure URLs as though they are secure.

worker-src

Define sources for Worker, SharedWork, and ServiceWorker scripts.

worker-src <content-security-policy>
Where content-security-policy is defined as:
'none'
No loading of resources.
'self'
Only resources from the current origin.
unsafe-inline
Allow use of inline resources.
unsafe-evail
Allow use of dynamic code.
unsafe-hashes
Allow use of hashes.
unsafe-allow-redirects
Allow use of redirected resources.
strict-dynamic
Allow additional resources to be added dynamically.
report-sample
Indicates this resource will be used to generate a violation sample.
script-src
Script sources.
<protocol>:
Allow from this protocol.
<domain>
Allow from this domain.
nonce-<nonce>
Only with this nonce attribute.
sha-<sha>
Only with this SHA value.

Example

Content-Security-Policy: child-src 'none'; img-src https://domain.com
Content-Security-Policy: default-src 'self'

Parse

Enter a Content-Security-Policy header below to parse and return details about it.

Reference

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy