Here's a simple example of a
Content-Security-Policy: default-src 'self'; img-src 'self' cdn.example.com;
default-src directive restricts what URLs resources can be fetched from the document that set the
Content-Security-Policy header. This includes images (
img-src), css files (
script-src), js files (
We have set the
default-src directive to
`self` which means the same origin, or same domain and scheme.
By adding the
img-src directive to our policy we can override the
default-src directive and provide a policy specific to loading images. In this case we are allowing images to be loaded from
'self' and the domain
Check out the
Content-Security-Policy header reference for a full list of directives.