Content Security Policy (CSP)
Examples
Content Security Policy Examples
Here's a simple example of a Content-Security-Policy header:
Content-Security-Policy: default-src 'self'; img-src 'self' cdn.example.com;
In this example CSP policy you find two CSP directives: default-src and img-src.
The default-src directive restricts what URLs resources can be fetched from the document that set the Content-Security-Policy header. This includes images (img-src), css files (script-src), js files (script-src), etc.
We have set the default-src directive to `self` which means the same origin, or same domain and scheme.
By adding the img-src directive to our policy we can override the default-src directive and provide a policy specific to loading images. In this case we are allowing images to be loaded from 'self' and the domain cdn.example.com.
Check out the Content-Security-Policy header reference for a full list of directives.
More CSP Examples
- CSP Allow Inline Scripts - Create a CSP Policy that allows execution of inline scripts.
- CSP Allow Inline Styles - Create a CSP Policy that allows execution of inline styles.
- blocked:csp ⟶ Understanding why CSP blocks resources - A guide to understand why CSP blocks resources in the browser.
- CloudFlare Content-Security-Policy Example - How to add a content security policy headers to a CloudFlare site
- Content-Security-Policy ColdFusion Examples - How to add a content security policy header in a ColdFusion application.
- Content-Security-Policy Express JS Examples - How to add a content security policy header in a node express.js application.
- CSP Policy for Google Analytics GA4 - Using Google Analytics GA4 with a content security policy header.
- Using Google Fonts with a Content-Security-Policy - Create a CSP Policy to that works with google fonts.
- Google Maps with a Content-Security-Policy - Create a CSP Policy to that works with google maps.
- Add Content-Security-Policy header with htaccess - Using an Apache CSP header via a htaccess file.
- Content-Security-Policy Java Examples - How to add a content security policy header in a Java application.
- Content-Security-Policy with jQuery - How to use content security policy with jQuery
- Content-Security-Policy Meta http-equiv Example - Adding a CSP Policy to a HTML meta tag
- Multiple Content-Security-Policy Headers - How to add a content security policy headers to a Netlify site
- Netlify Content-Security-Policy Example - How to add a content security policy headers to a Netlify site
- Content-Security-Policy Headers on Nginx - How to add a content security policy headers to a nginx site using add_header
- Content-Security-Policy Headers with OpenBSD relayd - How to add a content security policy headers to an openbsd relayd proxy server.
- PCI DSS 4.0 and Content Security Policy (CSP) - How can CSP help meet PCI DSS 4.0 Compliance Requirements
- Content-Security-Policy PHP Examples - How to add a content security policy header with PHP.
- Content-Security-Policy Twitter Button / Pixel Example - Adjusting your CSP to allow the Twitter Button or a Twitter Pixel to work.
CSP Developer Field Guide
Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.
Grab a CopyStruggling to stay on top of security advisories?
Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.