Content Security Policy (CSP)

Content Security Policy Examples

Various examples on how to work with CSP.

Here's a simple example of a Content-Security-Policy header:

Content-Security-Policy: default-src 'self'; img-src 'self';

In this example CSP policy you find two CSP directives: default-src and img-src.

The default-src directive restricts what URLs resources can be fetched from the document that set the Content-Security-Policy header. This includes images (img-src), css files (script-src), js files (script-src), etc.

We have set the default-src directive to `self` which means the same origin, or same domain and scheme.

By adding the img-src directive to our policy we can override the default-src directive and provide a policy specific to loading images. In this case we are allowing images to be loaded from 'self' and the domain

Check out the Content-Security-Policy header reference for a full list of directives.

More CSP Examples

CSP Developer Field Guide

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy

Struggling to stay on top of security advisories?

Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.