Skip to content

Content Security Policy

Content Security Policy (CSP)

strong mitigation against cross-site scripting attacks

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://cspvalidator.org/#url=https://cspvalidator.org/
https://csp-evaluator.withgoogle.com/

Nonce

This can remove the unsafe-inline part of the CSP value

Restricts usage of script tags without the nonce value

script-src 'nonce-rAnd0m';

Restricts usage of style tags without the nonce value

style-src 'nonce-rAnd0m';

Nonce for external scripts

Content-Security-Policy: default-src 'none';script-src 'nonce-rAnd0m'


<script src="https://code.jquery.com/jquery-3.7.1.min.js" 
	nonce="rAnd0m"
	integrity="sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo=" 
	crossorigin="anonymous"></script>

Keys

script-src:
style-src:
default-src:
img-src:
child-src:
foobar-src:
report-uri:

script-src

https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce

Nonce Value: Only script tags with the nonce value will run
Content-Security-Policy: script-src 'nonce-8IBTHwOdqNKAWeKl7plt8g=='

Special Values

'unsafe-inline': allows the execution of unsafe in-page scripts and event handlers.