Content Security Policy FAQ

Why is my script hash not working.

First make sure your browser supports CSP Level 2, you can use our CSP Browser Test to check.

One common problem is that you forgot to wrap the hash in single quotes. So this header would fail:

Content-Security-Policy: script-src js.example.com sha256-xzi4zkCjuC8lZcD2UmnqDG0vurmq12W/XKM5Vd0+MlQ=;

But if you wrap your hash with single quotes it will work:

Content-Security-Policy: script-src js.example.com 'sha256-xzi4zkCjuC8lZcD2UmnqDG0vurmq12W/XKM5Vd0+MlQ=;'

Another common reason the script hash is not working would be that you changed the script and have the wrong hash. In that case you can use Chrome developer tools to see what the hash should be.

What CSP policy is required for Google Analytics?

First, inline scripts do not execute when CSP is enabled, so you will have to move the code within the script tags to its own file. Another option is to add the hash (CSP Level 2) of the script to your script-src header. Whatever you do, do not add unsafe-inline to support google analytics, that pretty much defeats the purpose of CSP.

Google Analytics will try to load a tiny image, so you will need img-src www.google-analytics.com

Now assuming you have moved your script to a file on the same origin, your header might look like this:

default-src 'none';script-src 'self' www.google-analytics.com;img-src www.google-analytics.com;