Learn · Reference

CSP directive reference

A practical reference to every Content Security Policy directive you'll meet in real applications, with the source-expression tokens you'll combine to write them.

Directives

Directives fall into a few categories. Fetch directives control resource loading; document and navigation directives control how the page itself can be embedded or navigated; reporting directives describe where violations are sent.

  • default-srcFetch

    Fallback for any fetch directive you don't explicitly set. Most policies open with this and then loosen specific resource classes.

    default-src 'self';
  • script-srcFetch

    Where executable JavaScript may come from. The most important directive for XSS prevention. Pair with nonces or hashes for inline scripts; avoid 'unsafe-inline'.

    script-src 'self' 'nonce-r4nd0m' https://cdn.example.com;
  • script-src-elemFetch

    Restricts the sources for <script> elements specifically. Falls back to script-src when not set.

    script-src-elem 'self' https://cdn.example.com;
  • script-src-attrFetch

    Restricts inline event handlers (onclick, onload, etc.). Setting this to 'none' is a strong baseline.

    script-src-attr 'none';
  • style-srcFetch

    Stylesheet origins and whether inline style attributes are allowed.

    style-src 'self' https://fonts.googleapis.com;
  • img-srcFetch

    Image origins. Use data: to permit inline base64 images; blob: for canvas or generated images.

    img-src 'self' data: https://images.example.com;
  • font-srcFetch

    Font origins. Required when loading webfonts from a CDN.

    font-src 'self' https://fonts.gstatic.com;
  • connect-srcFetch

    Targets for fetch, XHR, WebSocket, EventSource, and Beacon. Where your code is allowed to talk.

    connect-src 'self' https://api.example.com wss://realtime.example.com;
  • media-srcFetch

    Sources for <audio>, <video>, and <track> elements.

    media-src 'self' https://media.example.com;
  • frame-srcFetch

    Origins permitted to be loaded into <iframe> and <frame> elements.

    frame-src https://www.youtube.com https://js.stripe.com;
  • worker-srcFetch

    Sources for Worker, SharedWorker, and ServiceWorker scripts.

    worker-src 'self' blob:;
  • manifest-srcFetch

    Sources for the application manifest file.

    manifest-src 'self';
  • object-srcFetch

    Sources for <object>, <embed>, and <applet>. Set to 'none' unless you have a specific reason — these elements are common XSS vectors.

    object-src 'none';
  • base-uriDocument

    Restricts the URLs allowed in a <base> element. Set to 'self' or 'none' to prevent attackers from rewriting relative URLs.

    base-uri 'self';
  • form-actionNavigation

    Restricts where forms may submit. Useful to prevent injected forms from POSTing credentials to attacker-controlled endpoints.

    form-action 'self';
  • frame-ancestorsNavigation

    Controls which origins are allowed to embed your site in a frame. Replaces the older X-Frame-Options header.

    frame-ancestors 'none';
  • upgrade-insecure-requestsOther

    Instructs the browser to upgrade http:// requests on the page to https://. Helpful while migrating mixed-content pages.

    upgrade-insecure-requests;
  • report-toReporting

    Names a reporting group (configured via the Report-To header) where the browser will POST violation reports.

    report-to csp-endpoint;
  • report-uriReporting

    Older reporting mechanism. Specify alongside report-to for browsers that don't yet support the newer one.

    report-uri https://csp-report.com/v1/reports/your-token;

Source expressions

Each directive takes a list of source expressions. You can mix and match — e.g. script-src 'self' 'nonce-abc' https://cdn.example.com. The keywords below are the ones you'll combine.

'self'
The page's own origin (scheme + host + port). Almost always present.
'none'
Block everything for this directive. A strong default for object-src and frame-ancestors.
'unsafe-inline'
Allows inline <script>/<style>. Defeats much of the purpose of CSP — prefer nonces or hashes.
'unsafe-eval'
Allows eval() and related dynamic code execution. Avoid unless a critical dependency requires it.
'nonce-<value>'
Allows an inline script or style tag carrying a matching nonce attribute. Generated server-side per response.
'sha256-<hash>'
Allows an inline script or style whose body matches the given base64-encoded hash. Use sha256, sha384, or sha512.
'strict-dynamic'
When paired with a trusted nonce or hash, scripts loaded by trusted scripts are also allowed. Lets you drop host allowlists in modern browsers.
https:
A scheme-only source. Allows any HTTPS origin. Broad — prefer naming specific hosts.
data:
Allows data: URLs. Often used in img-src; risky in script-src.
https://example.com
A specific host. The most common kind of source expression in real policies.

Get started

Skip the hand-written allowlists

Consepo crawls your site in a real browser and assembles a directive-by-directive policy from what your pages actually load — exportable to header, meta tag, WordPress MU plugin, Cloudflare Worker, or JSON.

Generate my policySign up free

Related guides

Authoritative reference: MDN Content-Security-Policy header