Content Security Policy (CSP)
Quick Reference Guide

Content Security Policy FAQ

Why is my script hash not working.

First make sure your browser supports CSP Level 2, you can use our CSP Browser Test to check.

One common problem is that you forgot to wrap the hash in single quotes. So this header would fail:

Content-Security-Policy: script-src sha256-xzi4zkCjuC8lZcD2UmnqDG0vurmq12W/XKM5Vd0+MlQ=;

But if you wrap your hash with single quotes it will work:

Content-Security-Policy: script-src 'sha256-xzi4zkCjuC8lZcD2UmnqDG0vurmq12W/XKM5Vd0+MlQ=';

Another common reason the script hash is not working would be that you changed the script and have the wrong hash. In that case you can use Chrome developer tools to see what the hash should be.

What CSP policy is required for Google Analytics?

First, inline scripts do not execute when CSP is enabled, so you will have to move the code within the script tags to its own file. Another option is to add the hash (CSP Level 2) of the script to your script-src header. Whatever you do, do not add unsafe-inline to support google analytics, that pretty much defeats the purpose of CSP.

Google Analytics will try to load a tiny image, so you will need img-src

Now assuming you have moved your script to a file on the same origin, your header might look like this:

default-src 'none';script-src 'self';img-src;

Where can I find more CSP resources?

Want more info on CSP, checkout these links:

CSP Developer Field Guide

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy

Struggling to stay on top of security advisories?

Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.