Content Security Policy (CSP)
Examples


Content Security Policy Examples

Various examples on how to work with CSP.

Here's a simple example of a Content-Security-Policy header:

Content-Security-Policy: default-src 'self'; img-src 'self' cdn.example.com;

In this example CSP policy you find two CSP directives: default-src and img-src.

The default-src directive restricts what URLs resources can be fetched from the document that set the Content-Security-Policy header. This includes images (img-src), css files (script-src), js files (script-src), etc.

We have set the default-src directive to `self` which means the same origin, or same domain and scheme.

By adding the img-src directive to our policy we can override the default-src directive and provide a policy specific to loading images. In this case we are allowing images to be loaded from 'self' and the domain cdn.example.com.

Check out the Content-Security-Policy header reference for a full list of directives.

More CSP Examples