Costruttore CSP
Costruisci header CSP.
default-srcFallback for other directives
'self'
script-srcJavaScript sources
'self'
style-srcCSS sources
'self''unsafe-inline'
img-srcImage sources
'self'data:https:
font-srcFont sources
'self'
connect-srcXHR, WebSocket, fetch targets
'self'
media-srcAudio/video sources
object-srcPlugins (Flash, Java)
'none'
frame-srciframe sources
child-srcWeb workers, frames
worker-srcWorker, SharedWorker
form-actionForm submission targets
frame-ancestorsWho can embed this page
'self'
base-uriBase URL for relative URLs
'self'
report-uriViolation report endpoint
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; base-uri 'self'
About Content Security Policy
- CSP helps prevent XSS attacks by controlling resource loading
- Start strict and loosen as needed rather than the reverse
- Use report-uri to monitor violations before enforcing
- Meta tag CSP cannot use frame-ancestors or report-uri
Content Security Policy - Dettagli tecnici
CSP is a security standard that helps prevent XSS, clickjacking, and other code injection attacks. It specifies which content sources are allowed to load, giving you fine-grained control over your website's security.
Alternativa da riga di comando
# Test CSP with curl\ncurl -I https://example.com | grep -i content-security-policy\n\n# Check CSP in browser DevTools\n# Open Console > Security tab