Skip to content
Header Hawk

CSP Directive Reference

Quick reference for all CSP directives and source values.

Fetch Directives

Section titled “Fetch Directives”

Control which resources can be loaded.

DirectiveDescriptionExample
default-srcFallback for other fetch directivesdefault-src 'self'
script-srcValid sources for JavaScriptscript-src 'self' https://cdn.com
style-srcValid sources for stylesheetsstyle-src 'self' 'unsafe-inline'
img-srcValid sources for imagesimg-src 'self' data: https:
font-srcValid sources for fontsfont-src 'self' https://fonts.com
connect-srcValid URLs for fetch, XHR, WebSocket, EventSourceconnect-src 'self' wss://api.com
media-srcValid sources for <audio> and <video>media-src 'self'
object-srcValid sources for <object>, <embed>, <applet>object-src 'none'
frame-srcValid sources for <frame> and <iframe>frame-src https://youtube.com
child-srcValid sources for workers and frameschild-src 'self' blob:
worker-srcValid sources for Worker, SharedWorker, ServiceWorkerworker-src 'self' blob:
manifest-srcValid sources for web app manifestsmanifest-src 'self'
prefetch-srcValid sources for prefetch and prerenderprefetch-src 'self'

Document Directives

Section titled “Document Directives”

Control document properties.

DirectiveDescriptionExample
base-uriValid URLs for <base> elementbase-uri 'self'
sandboxEnable sandbox for the page (like iframe sandbox)sandbox allow-scripts
Section titled “Navigation Directives”

Control where users can navigate.

DirectiveDescriptionExample
form-actionValid URLs for form submissionsform-action 'self'
frame-ancestorsValid parents that can embed this pageframe-ancestors 'none'
navigate-toValid URLs the document can navigate tonavigate-to 'self'

Reporting Directives

Section titled “Reporting Directives”

Configure violation reporting.

DirectiveDescriptionExample
report-uriURL to send violation reports (deprecated)report-uri https://ingest.headerhawk.com/csp/ID
report-toReporting API endpoint group namereport-to csp-endpoint

Other Directives

Section titled “Other Directives”
DirectiveDescriptionExample
upgrade-insecure-requestsUpgrade HTTP requests to HTTPSupgrade-insecure-requests
block-all-mixed-contentBlock all HTTP content on HTTPS pagesblock-all-mixed-content
require-trusted-types-forRequire Trusted Types for scriptsrequire-trusted-types-for 'script'
trusted-typesAllow specific Trusted Types policiestrusted-types default

Source Values

Section titled “Source Values”
ValueDescription
'self'Same origin as the document
'none'No sources allowed
'unsafe-inline'Allow inline scripts/styles
'unsafe-eval'Allow eval(), Function(), etc.
'unsafe-hashes'Allow inline event handlers
'strict-dynamic'Trust scripts loaded by trusted scripts
'report-sample'Include code sample in violation reports
'nonce-{base64}'Allow inline scripts/styles with matching nonce
'sha256-{hash}'Allow inline scripts/styles with matching hash
'sha384-{hash}'Allow inline scripts/styles with matching hash
'sha512-{hash}'Allow inline scripts/styles with matching hash
https:Any HTTPS URL
http:Any HTTP URL (not recommended)
data:Data URIs
blob:Blob URIs
mediastream:MediaStream URIs
filesystem:FileSystem URIs
wss:WebSocket Secure URLs
https://example.comSpecific origin
*.example.comAny subdomain of example.com

Common Policies

Section titled “Common Policies”

Strict Policy

Section titled “Strict Policy”
Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'

Moderate Policy

Section titled “Moderate Policy”
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com

With Google Analytics

Section titled “With Google Analytics”
Content-Security-Policy: default-src 'self'; script-src 'self' https://www.google-analytics.com https://www.googletagmanager.com; img-src 'self' https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com

With YouTube Embeds

Section titled “With YouTube Embeds”
Content-Security-Policy: default-src 'self'; frame-src https://www.youtube.com https://www.youtube-nocookie.com; script-src 'self'

Browser Support

Section titled “Browser Support”

All modern browsers support CSP Level 2. Some CSP Level 3 features have limited support:

FeatureChromeFirefoxSafariEdge
CSP Level 240+31+10+15+
strict-dynamic52+52+15.4+79+
report-to70+NoNo79+
trusted-types83+NoNo83+

See Also

Section titled “See Also”