The Salesforce Developers website will undergo maintenance on May 29, 2024 from 3:00 a.m. UTC to 10:00 a.m. UTC. The maintenance process may affect the availability of our documentation. Please plan accordingly.

ContentSecurityPolicy object

Use ContentSecurityPolicy to configure the Content-Security-Policy header.

OptionDescriptionDefault Value
useDefaultsWhen true, it merges the default header directives with any custom directives you pass in via the directives object.false
reportOnlySet this option to one or more policy directives. For example: default-src https:; report-to /csp-violation-report-endpoint/'content-security-policy'
resourceHashingWhen true, inline scripts are hashed for the header.true
directivesIn this section, you can configure directives for the Content-Security-Policy header.

You can customize these directives for a Content-Security-Policy header. Set values for them in the directives section of a ContentSecurityPolicy object.

For example, this ContentSecurityPolicy object tells the Content-Security-Policy header to use the media-src 'self' directive in addition to to the default directives.

This ContentSecurityPolicy has useDefaults: false, which removes all the default directives and values. It only defines a value for the media-src directive, so all other directives accept content from any source.

See Also