Early Access
Content-Security-Policy
Learn how to use the Content-Security-Policy meta tag to improve your site.
Defines which dynamic resources are allowed to load, thus helping to prevent cross-site scripting attacks, data injection, and other malicious attempts to exploit web page vulnerabilities.
Parameters
<meta http-equiv="Content-Security-Policy" content="default-src" />
<meta http-equiv="Content-Security-Policy" content="script-src" />
<meta http-equiv="Content-Security-Policy" content="style-src" />
<meta http-equiv="Content-Security-Policy" content="img-src" />
<meta http-equiv="Content-Security-Policy" content="connect-src" />
<meta http-equiv="Content-Security-Policy" content="font-src" />
<meta http-equiv="Content-Security-Policy" content="object-src" />
<meta http-equiv="Content-Security-Policy" content="media-src" />
<meta http-equiv="Content-Security-Policy" content="frame-src" />
Code Examples
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://apis.google.com;" />
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-2726c7f26c'" />
<meta http-equiv="Content-Security-Policy" content="default-src *;" />
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline';" />
Recommendations
- Test Policy Before Full ImplementationTo avoid breaking content, use the Content-Security-Policy-Report-Only mode to monitor potential issues before enforcing a strict policy.
- Use Nonce or Hash for Inline ScriptsTo safely allow inline scripts, utilize the nonce or hash attributes to whitelist specific scripts, reducing the risk of injection attacks.
- Avoid Using 'unsafe-inline' and 'unsafe-eval'These settings significantly lower the protection level of your CSP, exposing the site to potential XSS attacks. Use more specific source whitelisting instead.
Related Documentation
Related Meta Tags
Content-Security-Policy
Defines which dynamic resources are allowed to load, thus helping to prevent cross-site scripting attacks, data injection, and other malicious attempts to exploit web page vulnerabilities.
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://apis.google.com;">
content-type
Defines the MIME type and character encoding for the HTML document. It sets the character set used for the HTML document, which is crucial for correctly displaying text.
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
default-style
Specifies the name of the preferred stylesheet to use on a web page. This allows users or user agents to choose the default stylesheet amongst many provided.
<meta http-equiv="default-style" content="Main Style">
refresh
Used to redirect the user to a new URL after a certain number of seconds, or to refresh the current page. While it can be useful for redirecting users or refreshing content, its usage is generally discouraged in favor of server-side redirects or JavaScript for a better user experience and performance.
<meta http-equiv="refresh" content="5;url=http://example.com">
X-UA-Compatible
Advises the web browser to display the webpage in compatibility view or a specific version of Internet Explorer. Primarily used to instruct Internet Explorer to use its Edge rendering engine.
<meta http-equiv="X-UA-Compatible" content="IE=edge">
Community