Content Security Policy (CSP)

Content security policy is a security feature that web designers and server administrators can use to prevent attacks such as cross-site scripting (XSS).

CSP is a security header that can be used to specify trusted domains. For each domain, you can configure which resources they are allowed to load. Resources can be stylesheets, javascripts, iFrames, fonts or images.

An example of a simple CSP header:

Content-Security-Policy: default-src 'self'

This CSP header specifies that the browser may only reload resources from the following two domains:

  • 'self': the domain under which the page is currently running.
  • Resources may also be reloaded from

Default-src' is used to specify the behavior for all possible sources. But it is possible to set different rules for loading images, stylesheets, fonts or script files:

Allow reloading of scripts from any subdomain of as well as your own domain (_self), allow inline scripts (scripts in <script> tags within the HTML DOM and allow scripts to call eval() )

Content-Security-Policy: script-src 'self' 'unsafe-eval' 'unsafe-inline' *;

Allow reloading images from any subdomain of as well as your own site:

Content-Security-Policy: img-src 'self' *;

Allow iFrames from the domains, and

Content security policy: frame-src 'self' * *;

It is possible to set different policies for individual sources:

Content-Security-Policy: frame-src 'self'; script-src 'self'; font-src;

Apache and nginx differ slightly in syntax, but the principle is identical.

prev Update Debian 11 to Debian 12 (bookworm)
next Automatic connection of SSH through a proxy