HTTP Response Headers

Content-Security-Policy

Used to protect users from Cross Site Scripting and Data Injection attacks.

A Content-Security-Policy (CSP) is a header that protects a website's users from certain types of attacks. It works by telling the browser which domains should be trusted as valid sources for content. This way, if an attacker manages to inject malicious scripts or images into the website, they won't be run or displayed.

For more information about potential attacks and how ValidBot test your website, please read about our Content-Security-Policy Validation Test.

Examples

In this example, all resources (images, scripts, fonts, CSS, etc) must be loaded over an SSL connection and inline javascript, css or other content is not allowed.

Content-Security-Policy: default-src https:

If this website wanted to load images from an insecure http location, the CSP could be modified like this.

Content-Security-Policy: default-src https:; img-src https: http://www.example.com

In the examples above you will see that a CSP is a list of one or more policies separated by semicolons. A policy consists of a directive followed by a space separated list of permitted values. Here is a summary of the most commonly used directives and values. For a complete list, please read the documentation on MDN Web Docs.

Directives
  • default-src: The default values for all other directives that are not otherwise specified.
  • img-src: Valid sources for loading images.
  • media-src: Valid sources for loading video and audio files.
  • font-src: Valid sources for loading fonts.
  • script-src: Valid sources for loading JavaScript.
  • connect-src: Valid URLs which can be loaded via JavaScript.
  • style-src: Valid sources for loading css stylesheets.
Values
  • <url>: Allows resources from a specific url with any part of the url being optional or a wildcard (*). (example.com, *.example.com, https:, https://example.com/css/style.css
  • 'none': Nothing is allowed to load for this directive.
  • 'self': The current website is the only valid source.
  • 'unsafe-inline': Allows inline resources.
  • 'unsafe-eval': Allows the usage of eval() to run scripts.
  • 'nonce-<base64>': Allows specific approved inline scripts to run.
  • <hash>: Allows specific approved scripts to run unless they have been modified.

Here is an example CSP that blocks all media, allows inline JavaScript, allows images to be loaded from the CDN and all other resources must be loaded directly from the current website.

Content-Security-Policy: default-src 'self'; media-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.example.com/

Note that URLs do not need to be quoted, but the other values must be quoted in order to function properly.

To learn more about security and other headers which can benefit your users, please read our article on Security Headers and to get helping making your own CSP, please try our CSP Generator.

Ready to validate your website to check for this header and 100+ others important tests?