form-action
form-action
form-action
The form-action directive restricts the URLs that can be used as the target of form submissions from a given context. This directive helps prevent Cross-Site Request Forgery (CSRF) attacks by limiting where forms can be submitted to.
Recommended Values
'self'
Restricts form submissions to the same origin as the document
Restricts form submissions to the same origin as the document
Explore detailed value definitions
Tips & Tricks
If not specified, form submissions to any URL are allowed, which could potentially be exploited.
Examples
Restricts form submissions to same origin
Content-Security-Policy: form-action 'self';Allowed
<form action="/submit" id="form1" method="post"> <input type="text" name="fieldName" value="fieldValue"> <input type="submit" id="submit" value="submit"> </form>Blocked
<form action='https://malicious.website.com/submit'> <input type="text" name="username" value="user123"> <input type="password" name="password" value="secretpass"> <input type="submit" value="Login"> </form>
Frequently Asked Questions
What is the form-action directive used for?
The form-action directive restricts which URLs can be used as the target of form submissions. This helps prevent malicious redirects and data exfiltration by controlling where forms can submit data to.
Security Note
If form-action is not specified, the browser will fall back to default-src. Always explicitly set form-action to prevent unwanted form submissions.
What are common values for form-action?
Common values include 'self' to only allow submissions to your own domain, specific URLs for trusted external services, and 'none' to block all form submissions. Multiple values can be combined like: form-action 'self' https://api.trusted-service.com
Best Practice
Be explicit about allowed form submission endpoints and avoid using wildcards (*) which could allow submissions to malicious sites.
How does form-action protect against CSRF attacks?
form-action helps prevent Cross-Site Request Forgery (CSRF) attacks by restricting where forms can submit data. Even if an attacker injects a malicious form, they cannot submit data to unauthorized domains. However, form-action should be used alongside other CSRF protections like tokens.
Defense in Depth
While form-action provides an additional layer of security, it should not be your only CSRF protection mechanism.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now