ContentSecurityPolicy object

Use ContentSecurityPolicy to configure the Content-Security-Policy header.

Option	Description	Default Value
useDefaults	When true, it merges the default header directives with any custom directives you pass in via the directives object.	false
reportOnly	Set this option to one or more policy directives. For example: default-src https:; report-to /csp-violation-report-endpoint/	'content-security-policy'
resourceHashing	When true, inline scripts are hashed for the header.	true
directives	In this section, you can configure directives for the Content-Security-Policy header.

You can customize these directives for a Content-Security-Policy header. Set values for them in the directives section of a ContentSecurityPolicy object.

• default-src
• base-uri
• child-src
• connect-src
• font-src
• form-action
• frame-ancestors
• frame-src
• img-src
• manifest-src
• media-src
• object-src
• prefetch-src
• sandbox
• script-src
• script-src-attr
• script-src-elem
• style-src
• style-src-attr
• style-src-elem
• upgrade-insecure-requests
• worker-src

For example, this ContentSecurityPolicy object tells the Content-Security-Policy header to use the media-src 'self' directive in addition to to the default directives.

This ContentSecurityPolicy has useDefaults: false, which removes all the default directives and values. It only defines a value for the media-src directive, so all other directives accept content from any source.

See Also

• Guide: @lwrjs/security