Content-Security-Policy (CSP)

• is an HTTP response header that allows a website to control resources the user agent is allowed to load for a given page
• helps guard against Cross-Site Scripting (XSS) attacks

Syntax

• Content-Security-Policy: <policy-directive>[; <policy-directive>]*

where:

• <policy-directive> consists of: <directive> <value> with no internal punctuation

Policy

Your policy should include a default-src policy directive, which is a fallback for other resource types when they don’t have policies of their own (for a complete list, see the description of the default-src directive

Examples

Example 1

A website administrator wants all content to come from the site’s own origin (this excludes subdomains.)

• Content-Security-Policy: default-src ‘self’

Example 2

A website administrator wants to allow content from a trusted domain and all its subdomains (it doesn’t have to be the same domain that the CSP is set on.)

• Content-Security-Policy: default-src ‘self’ trusted.com *.trusted.com

Example 3

A website administrator wants to allow users of a web application to include images from any origin in their own content, but to restrict audio or video media to trusted providers, and all scripts only to a specific server that hosts trusted code.

• Content-Security-Policy: default-src ‘self’; img-src *; media-src media1.com media2.com; script-src userscripts.example.com

Here, by default, content is only permitted from the document’s origin, with the following exceptions:

• Images may load from anywhere (note the ”*” wildcard)
• Media is only allowed from media1.com and media2.com (and not from subdomains of those sites)
• Executable script is only allowed from userscripts.example.com

Subpages

• CORS

Resources

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP