This page is not complete.
Configuring Content Security Policy involves deciding what policies you want to enforce, and then configuring them and using the
Content-Security-Policy header to establish your policy.
Prior to Firefox 23, the
X-Content-Security-Policy HTTP header was used. Firefox 23 and later use the now-standard
Content-Security-Policy header. During the transition from the previous header to the new header, sites can send both the
Content-Security-Policy headers. In this situation, the
X-Content-Security-Policy will be ignored and the policy contained in the
Content-Security-Policy header will be used.
Specifying your policy
You can use the
Content-Security-Policy HTTP header to specify your policy, like this:
The policy is a string containing the policy directives describing your Content Security Policy.
Writing a policy
A policy is described using a series of policy directives, each of which describes the policy for a certain resource type or policy area. Your policy should include a
default-src policy directive, which is a fallback for any resource type you don't explicitly establish a policy for. A policy needs to include a default-src or script-src directive in order for CSP to restrict inline scripts from running, as well as blocking the use of
eval(). A policy needs to include a default-src or style-src directive in order for CSP to restrict inline styles from being applied from a
<style> element or a
The syntax for a policy is a string of semicolon-separated directives, each following the syntax described in Supported policy directives.
Examples: Common use cases
There are certain common scenarios that arise when writing your security policy; this section provides some examples of these.
A web site administrator wants all content to come from the site's own domain, excluding even subdomains.
Content-Security-Policy: default-src 'self'
A web site administrator wants to allow content from a trusted domain and all its subdomains.
Content-Security-Policy: default-src 'self' *.mydomain.com
A web site administrator wants to allow users of a web application to include images from any domain in their custom content, but to restrict audio or video media to come only from trusted providers, and all scripts only to a specific server that hosts trusted code.
Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com
Here, by default, content is only permitted from the document's original host, with the following exceptions:
- Images may loaded from anywhere (note the "*" wildcard).
- Media is only allowed from media1.com and media2.com (and not from subdomains of those sites).
- Executable script is only allowed from userscripts.example.com.
An administrator for an online banking site wants to ensure that all its content is loaded using SSL, in order to prevent attackers from eavesdropping on requests.
Content-Security-Policy: default-src https://onlinebanking.jumbobank.com
The server only permits access to documents being loaded specifically over HTTPS through the single domain onlinebanking.jumbobank.com.
Content-Security-Policy: default-src 'self' *.mailsite.com; img-src *
Note that this example doesn't specify a
script-src; with the example CSP, this site uses the setting specified by the
default-src directive, which means that scripts can be loaded only from the originating server.
Testing your policy
To ease deployment, CSP can be deployed in "report-only" mode. The policy is not enforced, but any violations are reported to a provided URI. Additionally, a report-only header can be used to test a future revision to a policy without actually deploying it.
You can use the
Content-Security-Policy-Report-Only HTTP header to specify your policy, like this:
If both a
Content-Security-Policy-Report-Only header and a
Content-Security-Policy header are present in the same response, both policies are honored. The policy specified in
Content-Security-Policy headers is enforced while the
Content-Security-Policy-Report-Only policy generates reports but is not enforced.
Note that the
X-Content-Security-Policy-Report-Only header was used before Firefox 23. If both the
Content-Security-Policy-Report-Only are sent, the
Content-Security-Policy-Report-Only will be used and the
X-Content-Security-Policy-Report-Only will be ignored.
The UserCSP Addon also helps test and develop Content Security Policies for a site.
- Introducing Content Security Policy
- CSP policy directives
- Using CSP violation reports
- Content Security Policy recommendation bookmarklet