CentralCSP

img-src


img-src

img-src

The img-src directive specifies the sources from which images & favicons can be loaded.

Recommended Values

  • 'self'

    Allows images from the same origin

    Allows images from the same origin

  • https://subdomain.domain.com

    Allows images from a specific external site

    Allows images from a specific external site

Explore detailed value definitions

Tips & Tricks

  • If img-src is not defined, the default-src directive will be used.

  • Do not use 'unsafe-inline' 'unsafe-eval' or 'unsafe-hashes' as it may introduce security vulnerabilities. Use with caution.

  • Do not use broad keywords like 'data:' 'blob:' 'http:' 'https:' is too permissive and may introduce security vulnerabilities. Use with caution.

Examples

  • Allows images from the same origin and a specific external site

    Content-Security-Policy: img-src 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
    <img src='/images/logo.png'>
    
    <!-- allowed by 'self' -->
    <link rel='icon' href='/favicon.ico'>
    
    <!-- allowed by https://example.com -->
    <link rel='icon' href='https://example.com/favicon.ico'>

    Blocked

    <!-- blocked as the domain is not authorized -->
    <img src='https://malicious.file.com/logo.png'>
    
    <!-- blocked as the domain is not authorized -->
    <link rel='icon' href='https://malicious.file.com/favicon.ico'>

Frequently Asked Questions

What is img-src and how does it work?

The img-src directive controls which sources can be used to load images and favicons on your webpage. This includes <img> tags, favicon links, and any other image resources. It helps prevent unauthorized images from being loaded, which could be used for tracking, data exfiltration, or loading malicious content.

Default Behavior

If img-src is not specified, the browser will fall back to default-src for image loading policies.

Can I use data: URIs in img-src?

While data: URIs can be allowed in img-src, it is strongly discouraged from a security perspective. Data URIs allow embedding image data directly in the src attribute, but this creates significant security risks. Malicious actors can use data URIs to bypass CSP restrictions, potentially embedding harmful content or exfiltrating data through manipulated images.

Security Risk

Using data: URIs in img-src effectively bypasses the protections that CSP is meant to provide. If you must use data URIs, consider implementing additional security controls and carefully validate all image data.

What are common values for img-src?

Common values include 'self' for loading images from your own domain, specific URLs for trusted image hosts (like CDNs or media servers)

Security Note

Avoid using broad patterns like * or http:. Instead, explicitly list trusted domains to prevent loading of malicious images or tracking pixels.

Need to monitor CSP violations and maintain it easily?

Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.

Set up your endpoint now

Learn more about other topics

Docs

CSP ScannerCSP EvaluatorReporting Endpoint

Contact


CentralSaaS © 2025