script-src
script-src
script-src
The script-src directive specifies the sources from which scripts can be loaded.
Recommended Values
'self'
Allows scripts from the same origin
Allows scripts from the same origin
https://subdomain.domain.com
Allows scripts from a specific external site
Allows scripts from a specific external site
sha256-<hash>
Allows scripts with a specific hash
Allows scripts with a specific hash
nonce-<random>
Allows scripts with a specific nonce value
Allows scripts with a specific nonce value
strict-dynamic
Allows all inline scripts and inline event handlers, but only if they are from the same origin as the document.
Allows all inline scripts and inline event handlers, but only if they are from the same origin as the document.
Explore detailed value definitions
Tips & Tricks
The nonce value must be unique for each request and must be the same as the one specified in the Content-Security-Policy header.
Hashes can also be used to allow specific scripts. See the values section for more information.
Do not use 'unsafe-inline' 'unsafe-eval' or 'unsafe-hashes' as it may introduce security vulnerabilities. Use with caution.
Using broad keywords like 'data:' 'blob:' 'http:' 'https:' is too permissive and may introduce security vulnerabilities. Use with caution.
Using 'strict-dynamic' allows all inline scripts and inline event handlers, but only if they are from the same origin as the document. This can be useful for allowing inline scripts in a specific context.
Available Values
'none'
Blocks all scripts
Blocks all scripts
'self'
Allows scripts from the same origin
Allows scripts from the same origin
subdomain.domain
Allows scripts from a specific domain
Allows scripts from a specific domain
sha256-<hash>
Allows scripts with a specific hash
Allows scripts with a specific hash
nonce-<random>
Allows scripts with a specific nonce value
Allows scripts with a specific nonce value
'report-sample'
Includes script samples in violation reports for debugging
Includes script samples in violation reports for debugging
'strict-dynamic'
Allows scripts loaded by trusted scripts, ignoring allowlist and requiring nonces/hashes
Allows scripts loaded by trusted scripts, ignoring allowlist and requiring nonces/hashes
'unsafe-inline'
Allows all inline scripts (not recommended)
Allows all inline scripts (not recommended)
'unsafe-eval'
Allows the use of eval() and similar dynamic code execution methods (not recommended)
Allows the use of eval() and similar dynamic code execution methods (not recommended)
Examples
Allows scripts from the same origin and a specific external site
Content-Security-Policy: script-src 'self' https://example.com 'nonce-zf48z4fefDOg94qDef5EE6eFqzf15' ;Allowed
<!-- allowed by 'self' --> <script src='/js/my_font.js'></script> <!-- allowed by https://example.com --> <script src='https://example.com/myfont.js'></script> <!-- allowed by nonce --> <script nonce='zf48z4fefDOg94qDef5EE6eFqzf15'>alert('Hello there');</script>Blocked
<!-- blocked as the domain is not authorized --> <script src='https://malicious.file.com/hihi.js'></script> <!-- blocked as inline script is not allowed --> <script>alert('Hello there');</script> <!-- blocked as event handlers are not allowed --> <button onclick="alert('Hello there');">Click me</button>
Frequently Asked Questions
What is the script-src directive used for?
The script-src directive controls which scripts can be loaded and executed in your web application. It helps prevent Cross-Site Scripting (XSS) attacks by specifying trusted sources for JavaScript code.
Security Note
Avoid using 'unsafe-inline' and 'unsafe-eval' as they weaken protection against XSS attacks. Instead, use nonces or hashes for inline scripts when necessary.
What are the recommended values for script-src?
The most secure approach is to use 'self' for same-origin scripts, specific trusted domains for external scripts, and nonces/hashes for necessary inline scripts. For example: script-src 'self' https://trusted-cdn.com 'nonce-random123'
Best Practice
Always be explicit about which sources are allowed and avoid using wildcards (*) or overly permissive schemes like https:.
How do nonces work with script-src?
Nonces are random values that must match between your CSP header and script tags. For example, if your CSP includes script-src 'nonce-x4hd8', then scripts must include nonce='x4hd8' to execute. The nonce should be unique for each page load.
Implementation Note
Generate cryptographically secure nonces server-side and never reuse them across different page loads.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now