Content-Security-Policy HTTP Header

Content-Security-Policy

The content security policy allows the server to determine what resources the user is allowed to load.

Accepted Values

Multiple values are allowed, seperated by a semi-colon. Some options take a value, and that is preceded with a space after the option. Multiple values are supported.

base-uri: Define what can be used in the base element.
base-uri <content-security-policy>
block-all-mixed-content: Prevent mixed content access.
child-src: Define sources for web works and frames.
child-src <content-security-policy>
connect-src: Define sources for script interfaces.
connect-src <content-security-policy>
default-src: Fallback for all fetches.
default-src <content-security-policy>
font-src: Define sources for fonts.
font-src <content-security-policy>
form-action: Define what can be used as the target for forms.
form-action <content-security-policy>
frame-ancestors: Define valid parents for frame, iframe, embed, object, and applet.
frame-ancestors <content-security-policy>
frame-src: Define sources for frames.
frame-src <content-security-policy>
img-src: Define sources for images and favicons.
img-src <content-security-policy>
manifest-src: Define sources for manifest files.
manifest-src <content-security-policy>
media-src: Define sources for audio, video, and track elements.
media-src <content-security-policy>
navigate-to: Define navigation restrictions by any means.
navigate-to <content-security-policy>
object-src: Define sources for object, embed, and applet elements.
object-src <content-security-policy>
plugin-types: Define what plugins can be embedded and loaded.
plugin-types <content-security-policy>
prefetch-src: Define sources to be prefetched.
prefetch-src <content-security-policy>
referrer: Control the referer header.
referrer <content-security-policy>
report-to: Fire a SecurityPolicyViolationEvent.
report-to <content-security-policy>
report-uri="<url>": URI for violation reports.
report-uri="https://yourwebsite.com/url"
require-sri-for: Require SRI for scripts and styles.
require-sri-for <content-security-policy>
require-trusted-types-for: Enforce trusted types for DOM XSS.
require-trusted-types-for <content-security-policy>
sandbox: Enables sandboxing for the resources.
sandbox <content-security-policy>
script-src: Define sources for JavaScript.
script-src <content-security-policy>
script-src-attr-src: Define sources for inline JavaScript event handlers.
script-src-attr-src <content-security-policy>
script-src-elem: Define sources for script elements.
script-src-elem <content-security-policy>
style-src: Define sources for stylesheets.
style-src <content-security-policy>
style-src-elem: Define sources for style and stylesheet link elements.
style-src-elem <content-security-policy>
trusted-types: Allow certain trusted types.
trusted-types <content-security-policy>
upgrade-insecure-requests: Treat insecure URLs as though they are secure.
worker-src: Define sources for Worker, SharedWork, and ServiceWorker scripts.
worker-src <content-security-policy>

Where content-security-policy is defined as:

'none': No loading of resources.
'self': Only resources from the current origin.
unsafe-inline: Allow use of inline resources.
unsafe-evail: Allow use of dynamic code.
unsafe-hashes: Allow use of hashes.
unsafe-allow-redirects: Allow use of redirected resources.
strict-dynamic: Allow additional resources to be added dynamically.
report-sample: Indicates this resource will be used to generate a violation sample.
script-src: Script sources.
<protocol>:: Allow from this protocol.
<domain>: Allow from this domain.
nonce-<nonce>: Only with this nonce attribute.
sha-<sha>: Only with this SHA value.

Example

Content-Security-Policy: child-src 'none'; img-src https://domain.com

Content-Security-Policy: default-src 'self'

Parse

Enter a Content-Security-Policy header below to parse and return details about it.

Reference

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy