default-src
default-src
default-src
The default-src is the fall back directive for all fetch directives. It sets the default policy for fetching resources
Recommended Values
'self'
Allows resources from the same origin
Allows resources from the same origin
https://subdomain.example.com
Allows resources from a specific external site
Allows resources from a specific external site
Explore detailed value definitions
Tips & Tricks
default-src is a fall back directive. If a more specific fetch directive is defined, it will override default-src for that resource type.
Using 'unsafe-inline' 'unsafe-eval' or 'unsafe-hashes' can introduce security vulnerabilities. Use with caution.
Using broad keywords like 'data:' 'blob:' 'http:' 'https:' is too permissive and may introduce security vulnerabilities. Use with caution.
Examples
recommended usage, allows only resources from the same origin, other sources should be defined in a specific fetch directive
Content-Security-Policy: default-src 'self';Allowed
<!-- allowed by 'self' --> <script src='/js/my_font.js'></script>Blocked
<!-- blocked as the domain is not authorized --> <script src='https://malicious.file.com/hihi.js'></script> <!-- blocked as inline script is not allowed --> <script>alert('Hello there');</script> <!-- blocked as event handlers are not allowed --> <button onclick="alert('Hello there');">Click me</button>
Frequently Asked Questions
What is the purpose of default-src directive?
The default-src directive acts as a fall back for other fetch directives that haven't been explicitly specified in your CSP. It provides a baseline security policy for loading resources like scripts, images, fonts, etc. However, any explicitly defined fetch directive will override default-src for that specific resource type.
Best Practice
Start with a restrictive default-src policy and then explicitly allow needed resources through specific fetch directives.
How does default-src interact with other fetch directives?
When a specific fetch directive (like script-src or img-src) is not defined in your CSP, the browser falls back to using the default-src policy for that resource type. However, if you explicitly define a fetch directive, it completely overrides default-src for that specific resource type.
Important Note
default-src only applies when a more specific directive is not present.
What is the best practice for default-src?
The best security practice for default-src is to set it to 'self' or 'none' and then explicitly allow needed resources through specific fetch directives.
What happens if I don't specify a default-src directive?
If default-src is not specified, the browser will apply its most permissive setting for any fetch directive that isn't explicitly defined. This is equivalent to having no restrictions for those resource types, which is not recommended from a security perspective.
Security Recommendation
Always define at least a default-src directive in your CSP to ensure baseline protection.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now