ContentSecurityPolicy object
Use ContentSecurityPolicy
to configure the Content-Security-Policy
header.
Option | Description | Default Value |
---|---|---|
useDefaults | When true , it merges the default header directives with any custom directives you pass in via the directives object. | false |
reportOnly | Set this option to one or more policy directives. For example: default-src https:; report-to /csp-violation-report-endpoint/ | 'content-security-policy' |
resourceHashing | When true , inline scripts are hashed for the header. | true |
directives | In this section, you can configure directives for the Content-Security-Policy header. |
You can customize these directives for a Content-Security-Policy
header. Set values for them in the directives
section of a ContentSecurityPolicy
object.
default-src
base-uri
child-src
connect-src
font-src
form-action
frame-ancestors
frame-src
img-src
manifest-src
media-src
object-src
prefetch-src
sandbox
script-src
script-src-attr
script-src-elem
style-src
style-src-attr
style-src-elem
upgrade-insecure-requests
worker-src
For example, this ContentSecurityPolicy
object tells the Content-Security-Policy
header to use the media-src 'self'
directive in addition to to the default directives.
This ContentSecurityPolicy
has useDefaults: false
, which removes all the default directives and values. It only defines a value for the media-src
directive, so all other directives accept content from any source.
See Also