Used to protect users from Cross Site Scripting and Data Injection attacks.
A Content-Security-Policy (CSP) is a header that protects a website's users from certain types of attacks. It works by telling the browser which domains should be trusted as valid sources for content. This way, if an attacker manages to inject malicious scripts or images into the website, they won't be run or displayed.
For more information about potential attacks and how ValidBot test your website, please read about our Content-Security-Policy Validation Test.
Content-Security-Policy: default-src https:
If this website wanted to load images from an insecure http location, the CSP could be modified like this.
Content-Security-Policy: default-src https:; img-src https: http://www.example.com
In the examples above you will see that a CSP is a list of one or more policies separated by semicolons. A policy consists of a directive followed by a space separated list of permitted values. Here is a summary of the most commonly used directives and values. For a complete list, please read the documentation on MDN Web Docs.Directives
default-src: The default values for all other directives that are not otherwise specified.
img-src: Valid sources for loading images.
media-src: Valid sources for loading video and audio files.
font-src: Valid sources for loading fonts.
style-src: Valid sources for loading css stylesheets.
<url>: Allows resources from a specific url with any part of the url being optional or a wildcard (*). (example.com, *.example.com, https:, https://example.com/css/style.css
'none': Nothing is allowed to load for this directive.
'self': The current website is the only valid source.
'unsafe-inline': Allows inline resources.
'unsafe-eval': Allows the usage of eval() to run scripts.
'nonce-<base64>': Allows specific approved inline scripts to run.
<hash>: Allows specific approved scripts to run unless they have been modified.
Content-Security-Policy: default-src 'self'; media-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.example.com/
Note that URLs do not need to be quoted, but the other values must be quoted in order to function properly.
Ready to validate your website to check for this header and 100+ others important tests?