Content Security Policy (CSP)

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.

CSP is designed to be fully backward compatible (except CSP version 2 where there are some explicitly-mentioned inconsistencies in backward compatibility; more details here section 1.1). Browsers that don't support it still work with servers that implement it, and vice-versa: browsers that don't support CSP simply ignore it, functioning as usual, defaulting to the standard same-origin policy for web content. If the site doesn't offer the CSP header, browsers likewise use the standard same-origin policy.

To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header (sometimes you will see mentions of the X-Content-Security-Policy header, but that's an older version and you don't need to specify it anymore).

Alternatively, the <meta> element can be used to configure a policy, for example: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">

Threats

Mitigating cross site scripting

A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser's trust of the content received from the server. Malicious scripts are executed by the victim's browser because the browser trusts the source of the content, even when it's not coming from where it seems to be coming from.

CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those allowlisted domains, ignoring all other script (including inline scripts and event-handling HTML attributes).

As an ultimate form of protection, sites that want to never allow scripts to be executed can opt to globally disallow script execution.

Mitigating packet sniffing attacks

In addition to restricting the domains from which content can be loaded, the server can specify which protocols are allowed to be used; for example (and ideally, from a security standpoint), a server can specify that all content must be loaded using HTTPS. A complete data transmission security strategy includes not only enforcing HTTPS for data transfer, but also marking all cookies with the secure flag and providing automatic redirects from HTTP pages to their HTTPS counterparts. Sites may also use the Strict-Transport-Security HTTP header to ensure that browsers connect to them only over an encrypted channel.

Using CSP

Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control resources the user agent is allowed to load for that page. For example, a page that uploads and displays images could allow images from anywhere, but restrict a form action to a specific endpoint. A properly designed Content Security Policy helps protect a page against a cross site scripting attack. This article explains how to construct such headers properly, and provides examples.

Specifying your policy

You can use the Content-Security-Policy HTTP header to specify your policy, like this:

Content-Security-Policy: policy

The policy is a string containing the policy directives describing your Content Security Policy.

Writing a policy

A policy is described using a series of policy directives, each of which describes the policy for a certain resource type or policy area. Your policy should include a default-src policy directive, which is a fallback for other resource types when they don't have policies of their own (for a complete list, see the description of the default-src directive). A policy needs to include a default-src or script-src directive to prevent inline scripts from running, as well as blocking the use of eval(). A policy needs to include a default-src or style-src directive to restrict inline styles from being applied from a <style> element or a style attribute.

Examples: Common use cases

This section provides examples of some common security policy scenarios.

Example 1

A web site administrator wants all content to come from the site's own origin (this excludes subdomains.)

Content-Security-Policy: default-src 'self'

Example 2

A web site administrator wants to allow content from a trusted domain and all its subdomains (it doesn't have to be the same domain that the CSP is set on.)

Content-Security-Policy: default-src 'self' *.trusted.com

Example 3

A web site administrator wants to allow users of a web application to include images from any origin in their own content, but to restrict audio or video media to trusted providers, and all scripts only to a specific server that hosts trusted code.

Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com

Here, by default, content is only permitted from the document's origin, with the following exceptions:

  • Images may load from anywhere (note the "*" wildcard).
  • Media is only allowed from media1.com and media2.com (and not from subdomains of those sites).
  • Executable script is only allowed from userscripts.example.com.

Example 4

A web site administrator for an online banking site wants to ensure that all its content is loaded using SSL, in order to prevent attackers from eavesdropping on requests.

Content-Security-Policy: default-src https://onlinebanking.jumbobank.com

The server only permits access to documents being loaded specifically over HTTPS through the single origin onlinebanking.jumbobank.com.

Example 5

A web site administrator of a web mail site wants to allow HTML in email, as well as images loaded from anywhere, but not JavaScript or other potentially dangerous content.

Content-Security-Policy: default-src 'self' *.mailsite.com; img-src *

Note that this example doesn't specify a script-src; with the example CSP, this site uses the setting specified by the default-src directive, which means that scripts can be loaded only from the originating server.

Testing your policy

To ease deployment, CSP can be deployed in report-only mode. The policy is not enforced, but any violations are reported to a provided URI. Additionally, a report-only header can be used to test a future revision to a policy without actually deploying it.

You can use the Content-Security-Policy-Report-Only HTTP header to specify your policy, like this:

Content-Security-Policy-Report-Only: policy

If both a Content-Security-Policy-Report-Only header and a Content-Security-Policy header are present in the same response, both policies are honored. The policy specified in Content-Security-Policy headers is enforced while the Content-Security-Policy-Report-Only policy generates reports but is not enforced.

Enabling reporting

By default, violation reports aren't sent. To enable violation reporting, you need to specify the report-uri policy directive, providing at least one URI to which to deliver the reports:

Content-Security-Policy: default-src 'self'; report-uri http://reportcollector.example.com/collector.cgi

Then you need to set up your server to receive the reports; it can store or process them in whatever manner you feel is appropriate.

Violation report syntax

The report JSON object contains the following data:

blocked-uri
The URI of the resource that was blocked from loading by the Content Security Policy. If the blocked URI is from a different origin than the document-uri, then the blocked URI is truncated to contain just the scheme, host, and port.
disposition
Either "enforce" or "reporting" depending on whether the Content-Security-Policy-Report-Only header or the Content-Security-Policy header is used.
document-uri
The URI of the document in which the violation occurred.
effective-directive
The directive whose enforcement caused the violation.
original-policy
The original policy as specified by the Content-Security-Policy HTTP header.
referrer
The referrer of the document in which the violation occurred.
script-sample
The first 40 characters of the inline script, event handler, or style that caused the violation.
status-code
The HTTP status code of the resource on which the global object was instantiated.
violated-directive
The name of the policy section that was violated.

Sample violation report

Let's consider a page located at http://example.com/signup.html. It uses the following policy, disallowing everything but stylesheets from cdn.example.com.

Content-Security-Policy: default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports

The HTML of signup.html looks like this:

<!DOCTYPE html>
<html>
  <head>
    <title>Sign Up</title>
    <link rel="stylesheet" href="css/style.css">
  </head>
  <body>
    ... Content ...
  </body>
</html>

Can you spot the mistake? Stylesheets are only allowed to be loaded from cdn.example.com, yet the website tries to load one from its own origin (http://example.com). A browser capable of enforcing CSP will send the following violation report as a POST request to http://example.com/_/csp-reports, when the document is visited:

{
  "csp-report": {
    "document-uri": "http://example.com/signup.html",
    "referrer": "",
    "blocked-uri": "http://example.com/css/style.css",
    "violated-directive": "style-src cdn.example.com",
    "original-policy": "default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports"
  }
}

As you can see, the report includes the full path to the violating resource in blocked-uri. This is not always the case. For example, when the signup.html would attempt to load CSS from http://anothercdn.example.com/stylesheet.css, the browser would not include the full path but only the origin (http://anothercdn.example.com). The CSP specification gives an explanation of this odd behaviour. In summary, this is done to prevent leaking sensitive information about cross-origin resources.

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Content-Security-PolicyChrome Full support 25
Full support 25
Full support 14
Alternate Name
Alternate Name Uses the non-standard name: X-Webkit-CSP
Edge Full support 14Firefox Full support 23
Full support 23
Full support 4
Alternate Name
Alternate Name Uses the non-standard name: X-Content-Security-Policy
IE Full support 10
Notes Alternate Name
Full support 10
Notes Alternate Name
Notes Only supporting 'sandbox' directive.
Alternate Name Uses the non-standard name: X-Content-Security-Policy
Opera Full support 15Safari Full support 7
Full support 7
Full support 6
Alternate Name
Alternate Name Uses the non-standard name: X-Webkit-CSP
WebView Android Full support YesChrome Android Full support YesFirefox Android Full support 23Opera Android Full support YesSafari iOS Full support 7.1
Full support 7.1
Full support 5.1
Notes
Notes X-Webkit-CSP
Samsung Internet Android Full support Yes

Legend

Full support  
Full support
See implementation notes.
See implementation notes.
Uses a non-standard name.
Uses a non-standard name.

A specific incompatibility exists in some versions of the Safari web browser, whereby if a Content Security Policy header is set, but not a Same Origin header, the browser will block self-hosted content and off-site content, and incorrectly report that this is due to a the Content Security Policy not allowing the content.

See also

Last modified:

, by MDN contributors
Related Topics
  1. HTTP
  2. Guides:
  3. Resources and URIs
    1. Identifying resources on the Web
    2. Data URIs
    3. Introduction to MIME Types
    4. Complete list of MIME Types
    5. Choosing between www and non-www URLs
  4. HTTP guide
    1. Basics of HTTP
    2. Overview of HTTP
    3. Evolution of HTTP
    4. HTTP Messages
    5. A typical HTTP session
    6. Connection management in HTTP/1.x
    7. Protocol upgrade mechanism
  5. HTTP security
    1. Content Security Policy (CSP)
    2. HTTP Public Key Pinning (HPKP)
    3. HTTP Strict Transport Security (HSTS)
    4. Cookie security
    5. X-Content-Type-Options
    6. X-Frame-Options
    7. X-XSS-Protection
    8. Mozilla web security guidelines
    9. Mozilla Observatory
  6. HTTP access control (CORS)
  7. HTTP authentication
  8. HTTP caching
  9. HTTP compression
  10. HTTP conditional requests
  11. HTTP content negotiation
  12. HTTP cookies
  13. HTTP range requests
  14. HTTP redirects
  15. HTTP specifications
  16. Feature policy
  17. References:
  18. HTTP headers
    1. Accept
    2. Accept-CH
    3. Accept-CH-Lifetime
    4. Accept-Charset
    5. Accept-Encoding
    6. Accept-Language
    7. Accept-Patch
    8. Accept-Ranges
    9. Access-Control-Allow-Credentials
    10. Access-Control-Allow-Headers
    11. Access-Control-Allow-Methods
    12. Access-Control-Allow-Origin
    13. Access-Control-Expose-Headers
    14. Access-Control-Max-Age
    15. Access-Control-Request-Headers
    16. Access-Control-Request-Method
    17. Age
    18. Allow
    19. Alt-Svc
    20. Authorization
    21. Cache-Control
    22. Clear-Site-Data
    23. Connection
    24. Content-Disposition
    25. Content-Encoding
    26. Content-Language
    27. Content-Length
    28. Content-Location
    29. Content-Range
    30. Content-Security-Policy
    31. Content-Security-Policy-Report-Only
    32. Content-Type
    33. Cookie
    34. Cookie2
    35. Cross-Origin-Resource-Policy
    36. DNT
    37. DPR
    38. Date
    39. Device-Memory
    40. Digest
    41. ETag
    42. Early-Data
    43. Expect
    44. Expect-CT
    45. Expires
    46. Feature-Policy
    47. Forwarded
    48. From
    49. Host
    50. If-Match
    51. If-Modified-Since
    52. If-None-Match
    53. If-Range
    54. If-Unmodified-Since
    55. Index
    56. Keep-Alive
    57. Large-Allocation
    58. Last-Modified
    59. Link
    60. Location
    61. Origin
    62. Pragma
    63. Proxy-Authenticate
    64. Proxy-Authorization
    65. Public-Key-Pins
    66. Public-Key-Pins-Report-Only
    67. Range
    68. Referer
    69. Referrer-Policy
    70. Retry-After
    71. Save-Data
    72. Sec-WebSocket-Accept
    73. Server
    74. Server-Timing
    75. Set-Cookie
    76. Set-Cookie2
    77. SourceMap
    78. Strict-Transport-Security
    79. TE
    80. Timing-Allow-Origin
    81. Tk
    82. Trailer
    83. Transfer-Encoding
    84. Upgrade-Insecure-Requests
    85. User-Agent
    86. Vary
    87. Via
    88. WWW-Authenticate
    89. Want-Digest
    90. Warning
    91. X-Content-Type-Options
    92. X-DNS-Prefetch-Control
    93. X-Forwarded-For
    94. X-Forwarded-Host
    95. X-Forwarded-Proto
    96. X-Frame-Options
    97. X-XSS-Protection
  19. HTTP request methods
    1. CONNECT
    2. DELETE
    3. GET
    4. HEAD
    5. OPTIONS
    6. PATCH
    7. POST
    8. PUT
    9. TRACE
  20. HTTP response status codes
    1. 100 Continue
    2. 101 Switching Protocols
    3. 103 Early Hints
    4. 200 OK
    5. 201 Created
    6. 202 Accepted
    7. 203 Non-Authoritative Information
    8. 204 No Content
    9. 205 Reset Content
    10. 206 Partial Content
    11. 300 Multiple Choices
    12. 301 Moved Permanently
    13. 302 Found
    14. 303 See Other
    15. 304 Not Modified
    16. 307 Temporary Redirect
    17. 308 Permanent Redirect
    18. 400 Bad Request
    19. 401 Unauthorized
    20. 402 Payment Required
    21. 403 Forbidden
    22. 404 Not Found
    23. 405 Method Not Allowed
    24. 406 Not Acceptable
    25. 407 Proxy Authentication Required
    26. 408 Request Timeout
    27. 409 Conflict
    28. 410 Gone
    29. 411 Length Required
    30. 412 Precondition Failed
    31. 413 Payload Too Large
    32. 414 URI Too Long
    33. 415 Unsupported Media Type
    34. 416 Range Not Satisfiable
    35. 417 Expectation Failed
    36. 418 I'm a teapot
    37. 422 Unprocessable Entity
    38. 425 Too Early
    39. 426 Upgrade Required
    40. 428 Precondition Required
    41. 429 Too Many Requests
    42. 431 Request Header Fields Too Large
    43. 451 Unavailable For Legal Reasons
    44. 500 Internal Server Error
    45. 501 Not Implemented
    46. 502 Bad Gateway
    47. 503 Service Unavailable
    48. 504 Gateway Timeout
    49. 505 HTTP Version Not Supported
    50. 506 Variant Also Negotiates
    51. 507 Insufficient Storage
    52. 508 Loop Detected
    53. 511 Network Authentication Required
  21. CSP directives
    1. CSP: base-uri
    2. CSP: block-all-mixed-content
    3. CSP: child-src
    4. CSP: connect-src
    5. CSP: default-src
    6. CSP: font-src
    7. CSP: form-action
    8. CSP: frame-ancestors
    9. CSP: frame-src
    10. CSP: img-src
    11. CSP: manifest-src
    12. CSP: media-src
    13. CSP: navigate-to
    14. CSP: object-src
    15. CSP: plugin-types
    16. CSP: prefetch-src
    17. CSP: referrer
    18. CSP: report-to
    19. CSP: report-uri
    20. CSP: require-sri-for
    21. CSP: sandbox
    22. CSP: script-src
    23. CSP: script-src-attr
    24. CSP: script-src-elem
    25. CSP: style-src
    26. CSP: style-src-attr
    27. CSP: style-src-elem
    28. CSP: trusted-types
    29. CSP: upgrade-insecure-requests
    30. CSP: worker-src
  22. CORS errors
    1. Reason: CORS disabled
    2. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'
    3. Reason: CORS header 'Access-Control-Allow-Origin' missing
    4. Reason: CORS header ‘Origin’ cannot be added
    5. Reason: CORS preflight channel did not succeed
    6. Reason: CORS request did not succeed
    7. Reason: CORS request external redirect not allowed
    8. Reason: CORS request not HTTP
    9. Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’
    10. Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’
    11. Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed
    12. Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’
    13. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’
    14. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’
    15. Reason: missing token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel
  23. Feature-Policy directives
    1. Feature-Policy: accelerometer
    2. Feature-Policy: ambient-light-sensor
    3. Feature-Policy: autoplay
    4. Feature-Policy: camera
    5. Feature-Policy: display-capture
    6. Feature-Policy: document-domain
    7. Feature-Policy: encrypted-media
    8. Feature-Policy: fullscreen
    9. Feature-Policy: geolocation
    10. Feature-Policy: gyroscope
    11. Feature-Policy: layout-animations
    12. Feature-Policy: legacy-image-formats
    13. Feature-Policy: magnetometer
    14. Feature-Policy: microphone
    15. Feature-Policy: midi
    16. Feature-Policy: oversized-images
    17. Feature-Policy: payment
    18. Feature-Policy: picture-in-picture
    19. Feature-Policy: speaker
    20. Feature-Policy: sync-xhr
    21. Feature-Policy: unoptimized-images
    22. Feature-Policy: unsized-media
    23. Feature-Policy: usb
    24. Feature-Policy: vibrate
    25. Feature-Policy: vr
    26. Feature-Policy: wake-lock
    27. Feature-Policy: webauthn
    28. Feature-Policy: xr