default-src
Fallback for other fetch directives. If script-src is not specified, the browser falls back to default-src for scripts.
Example: default-src 'self' https://cdn.example.com
script-src
Controls which scripts can be executed. Critical for XSS prevention. Consider using nonces or hashes instead of 'unsafe-inline'.
Example: script-src 'self' 'nonce-abc123' https://apis.google.com
style-src
Controls which stylesheets can be applied. 'unsafe-inline' is often needed for frameworks that inject styles.
Example: style-src 'self' 'unsafe-inline' https://fonts.googleapis.com
img-src
Controls which images can be loaded. data: is often needed for inline images and base64 encoded content.
Example: img-src 'self' data: https://images.example.com
font-src
Controls which fonts can be loaded. Required for Google Fonts and other web font services.
Example: font-src 'self' https://fonts.gstatic.com
connect-src
Controls URLs for fetch(), XMLHttpRequest, WebSocket, EventSource. Essential for API calls.
Example: connect-src 'self' https://api.example.com wss://socket.example.com
frame-src
Controls which URLs can be loaded in iframes. Required for embedded content like YouTube videos.
Example: frame-src 'self' https://www.youtube.com
object-src
Controls plugins like Flash, Java, Silverlight. Should almost always be 'none' for security.
Example: object-src 'none'
base-uri
Restricts URLs for the base element. Prevents base tag injection attacks.
Example: base-uri 'self'
form-action
Restricts form submission targets. Helps prevent form hijacking.
Example: form-action 'self' https://payment.example.com
frame-ancestors
Controls which sites can embed your page. Replaces X-Frame-Options. Prevents clickjacking.
Example: frame-ancestors 'none'
report-uri / report-to
URL where the browser sends violation reports. Use report-to for newer browsers.
Example: report-uri /csp-report; report-to csp-endpoint
upgrade-insecure-requests
Instructs browsers to upgrade HTTP requests to HTTPS. Useful when migrating to HTTPS.
Example: upgrade-insecure-requests
'self'
Same origin only (same scheme, host, port)
'none'
Blocks all sources for this directive
'unsafe-inline'
Allows inline scripts/styles (security risk)
'unsafe-eval'
Allows eval() and similar (security risk)
'strict-dynamic'
Trust scripts loaded by trusted scripts
'nonce-xxx'
Allow scripts with matching nonce attribute
'sha256-xxx'
Allow scripts matching the hash
data:
Data URLs (base64 images, etc)
blob:
Blob URLs (generated content)