Early Access
Content-Security-Policy
Defines which dynamic resources are allowed to load, thus helping to prevent cross-site scripting attacks, data injection, and other malicious attempts to exploit web page vulnerabilities.
Parameters
<meta http-equiv="Content-Security-Policy" content="default-src" />
<meta http-equiv="Content-Security-Policy" content="script-src" />
<meta http-equiv="Content-Security-Policy" content="style-src" />
<meta http-equiv="Content-Security-Policy" content="img-src" />
<meta http-equiv="Content-Security-Policy" content="connect-src" />
<meta http-equiv="Content-Security-Policy" content="font-src" />
<meta http-equiv="Content-Security-Policy" content="object-src" />
<meta http-equiv="Content-Security-Policy" content="media-src" />
<meta http-equiv="Content-Security-Policy" content="frame-src" />
Code Examples
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://apis.google.com;" />
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-2726c7f26c'" />
<meta http-equiv="Content-Security-Policy" content="default-src *;" />
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline';" />
Recommendations
- Test Policy Before Full ImplementationTo avoid breaking content, use the Content-Security-Policy-Report-Only mode to monitor potential issues before enforcing a strict policy.
- Use Nonce or Hash for Inline ScriptsTo safely allow inline scripts, utilize the nonce or hash attributes to whitelist specific scripts, reducing the risk of injection attacks.
- Avoid Using 'unsafe-inline' and 'unsafe-eval'These settings significantly lower the protection level of your CSP, exposing the site to potential XSS attacks. Use more specific source whitelisting instead.
Related Documentation
Related Meta Tags
refresh
Used to redirect the user to a new URL after a certain number of seconds, or to refresh the current page. While it can be useful for redirecting users or refreshing content, its usage is generally discouraged in favor of server-side redirects or JavaScript for a better user experience and performance.
<meta http-equiv="refresh" content="5;url=http://example.com">
content-type
Defines the MIME type and character encoding for the HTML document. It sets the character set used for the HTML document, which is crucial for correctly displaying text.
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Content-Security-Policy
Defines which dynamic resources are allowed to load, thus helping to prevent cross-site scripting attacks, data injection, and other malicious attempts to exploit web page vulnerabilities.
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://apis.google.com;">
default-style
Specifies the name of the preferred stylesheet to use on a web page. This allows users or user agents to choose the default stylesheet amongst many provided.
<meta http-equiv="default-style" content="Main Style">
X-UA-Compatible
Advises the web browser to display the webpage in compatibility view or a specific version of Internet Explorer. Primarily used to instruct Internet Explorer to use its Edge rendering engine.
<meta http-equiv="X-UA-Compatible" content="IE=edge">
Community