Build a Content-Security-Policy header tailored to your site. Configure script, style, font, and image sources. Includes nonce usage example and security warnings.
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests
'self'Fallback for all fetch directives. Restricts all content to the same origin by default.
'self'Controls where scripts can be loaded from. The most critical directive for XSS prevention.
'self'Controls where stylesheets can be loaded from.
'self' data:Controls where images can be loaded from. 'data:' is common for base64 embedded images.
'none'Blocks Flash, Java applets, and other plugin content. Always set to 'none' for modern apps.
'self'Restricts the URLs that can be used in <base> elements. Prevents base tag injection.
'self'Restricts the URLs that forms can submit to. Separate from default-src.
'none'Controls which pages can embed this page in an iframe. Replaces the older X-Frame-Options header.
Instructs browsers to upgrade HTTP requests to HTTPS before fetching resources.
marduc812
2026