CentralCSP

base-uri

base-uri

base-uri

The base-uri directive restricts the URLs which can be used in a document's <base> element. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the <base> element.

Recommended Values

  • 'self'

    Restricts base URLs to the same origin as the document

    Restricts base URLs to the same origin as the document

Explore detailed value definitions

Tips & Tricks

  • unsafe-inline & strict-dynamic does not apply to base-uri

  • If not specified, any URI can be used in the <base> element, which could potentially be exploited.

Examples

  • Restricts <base> element to same origin

    Content-Security-Policy: base-uri 'self';

    Allowed

    <base href="https://mywebsite.com/">

    Blocked

    <base href="https://otherwebsite.com/">

Frequently Asked Questions

What is the base-uri directive used for?

The base-uri directive restricts the URLs that can be used in a document's <base> element. This helps prevent attackers from manipulating relative URLs by controlling the base URL. For example: base-uri 'self' ensures the base URL can only be set to your own domain.

Security Note

If base-uri is not specified, an attacker could potentially redirect relative URLs to malicious destinations by injecting a base element.

What are common values for base-uri?

The most common and secure value is 'self', which only allows the base URL to be set to the same origin as the document. You can also use 'none' to completely prevent the use of the base element, or specify explicit URLs that are allowed.

Best Practice

Unless you have a specific need for external base URLs, using base-uri 'self' or 'none' provides the best security.

How does base-uri affect relative URLs?

The base-uri directive controls which base URLs can be used to resolve relative URLs in your document. When a <base> element is present, all relative URLs (in links, images, scripts, etc.) are resolved relative to that base URL instead of the document's URL.

URL Resolution

Properly restricting base-uri ensures that relative URLs can't be manipulated to point to malicious resources.

Need to monitor CSP violations and maintain it easily?

Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.

Set up your endpoint now

Learn more about other topics

Docs

CSP ScannerCSP EvaluatorReporting Endpoint

Certification

PCI DSS SAQ AISO 27001Penetration Test Report

Legal Terms

Terms of UsePrivacy policy

Contact

contact@cspcentral.com

CentralSaaS © 2025