Content-Security-Policy Directive Reference

Restricts which URLs can be used in a page's <base> element so relative links cannot be rewritten to an unexpected origin.

Content-Security-Policy: base-uri 'self';

Blocks insecure HTTP subresources on HTTPS pages so browsers do not load mixed content.

Obsolete: modern mixed content handling already covers this behavior.

Content-Security-Policy: block-all-mixed-content;

Legacy fallback for nested browsing contexts and workers. Modern policies usually prefer frame-src and worker-src.

Content-Security-Policy: child-src 'self' https://widgets.example.com;

Controls the destinations allowed for fetch, XMLHttpRequest, WebSocket, EventSource, and similar network connections.

Content-Security-Policy: connect-src 'self' https://api.example.com;

Provides a fallback source list for fetch directives that are not explicitly set elsewhere in the policy.

Content-Security-Policy: default-src 'self';

Restricts sources that can be loaded into fenced frames, which are designed for privacy-preserving embedded content.

Content-Security-Policy: fenced-frame-src https://ads.example.com;

Controls where fonts can be loaded from, including fonts referenced by @font-face.

Content-Security-Policy: font-src 'self' https://fonts.example.com;

Limits where forms can submit data so posted credentials and messages only go to approved endpoints.

Content-Security-Policy: form-action 'self';

Controls which parent pages are allowed to embed the current document in a frame, iframe, or object context.

Content-Security-Policy: frame-ancestors 'none';

Restricts the sources that can be loaded into frames and iframes.

Content-Security-Policy: frame-src https://player.example.com;

Controls which origins may deliver images, favicons, and other image-like resources.

Content-Security-Policy: img-src 'self' data: https://images.example.com;

Sets the allowed sources for web app manifest files.

Content-Security-Policy: manifest-src 'self';

Restricts audio, video, and text track sources.

Content-Security-Policy: media-src 'self' https://media.example.com;

Controls plug-in style resources such as object, embed, and applet content. Most modern policies set this to none.

Content-Security-Policy: object-src 'none';

Limits which MIME types are allowed for embedded plugin content.

Deprecated in modern CSP usage.

Content-Security-Policy: plugin-types application/pdf;

Defines the sources that may be used for prefetching or similar speculative loading behavior.

Content-Security-Policy: prefetch-src 'self' https://cdn.example.com;

Points CSP violation reports at a Reporting API endpoint group configured elsewhere in the response headers.

Reporting-Endpoints: csp=https://reports.example.com/csp; Content-Security-Policy: report-to csp;

Legacy reporting destination for CSP violation reports. It is still useful for compatibility with older browsers and tooling.

Use report-to for new policies.

Content-Security-Policy: report-uri https://reports.example.com/csp;

Requires Trusted Types at sensitive DOM XSS sinks so string-based injection paths are rejected.

Content-Security-Policy: require-trusted-types-for 'script';

Applies iframe-style sandbox restrictions to the protected document, disabling capabilities unless they are explicitly re-enabled.

Content-Security-Policy: sandbox allow-scripts;

Controls where JavaScript and related executable content can load from. It is one of the most important CSP directives.

Content-Security-Policy: script-src 'self' https://cdn.example.com;

Restricts script content that appears inside HTML event handler attributes such as onclick or onload.

Content-Security-Policy: script-src-attr 'none';

Restricts script elements specifically, separate from inline handler attributes.

Same source-list syntax as script-src, except unsafe-hashes does not apply here.

Content-Security-Policy: script-src-elem 'self' https://cdn.example.com;

Controls where stylesheets and style resources can be loaded from.

Content-Security-Policy: style-src 'self' https://fonts.example.com;

Restricts CSS in style attributes on elements, which helps reduce style injection risk.

Content-Security-Policy: style-src-attr 'none';

Controls sources for style elements and linked stylesheets separately from inline style attributes.

Same source-list syntax as style-src, except unsafe-hashes does not apply here.

Content-Security-Policy: style-src-elem 'self' https://fonts.example.com;

Defines the Trusted Types policy names that the page is allowed to create and use.

Content-Security-Policy: trusted-types default dompurify;

Tells the browser to rewrite HTTP requests to HTTPS automatically when possible.

Content-Security-Policy: upgrade-insecure-requests;

Restricts the sources that can be used for web workers, shared workers, and service workers.

Content-Security-Policy: worker-src 'self';