CentralCSP

script-src


script-src

script-src

The script-src directive specifies the sources from which scripts can be loaded.

Recommended Values

  • 'self'

    Allows scripts from the same origin

    Allows scripts from the same origin

  • https://subdomain.domain.com

    Allows scripts from a specific external site

    Allows scripts from a specific external site

  • sha256-<hash>

    Allows scripts with a specific hash

    Allows scripts with a specific hash

  • nonce-<random>

    Allows scripts with a specific nonce value

    Allows scripts with a specific nonce value

  • strict-dynamic

    Allows all inline scripts and inline event handlers, but only if they are from the same origin as the document.

    Allows all inline scripts and inline event handlers, but only if they are from the same origin as the document.

Explore detailed value definitions

Tips & Tricks

  • The nonce value must be unique for each request and must be the same as the one specified in the Content-Security-Policy header.

  • Hashes can also be used to allow specific scripts. See the values section for more information.

  • Do not use 'unsafe-inline' 'unsafe-eval' or 'unsafe-hashes' as it may introduce security vulnerabilities. Use with caution.

  • Using broad keywords like 'data:' 'blob:' 'http:' 'https:' is too permissive and may introduce security vulnerabilities. Use with caution.

  • Using 'strict-dynamic' allows all inline scripts and inline event handlers, but only if they are from the same origin as the document. This can be useful for allowing inline scripts in a specific context.

Available Values

  • 'none'

    Blocks all scripts

    Blocks all scripts

  • 'self'

    Allows scripts from the same origin

    Allows scripts from the same origin

  • subdomain.domain

    Allows scripts from a specific domain

    Allows scripts from a specific domain

  • sha256-<hash>

    Allows scripts with a specific hash

    Allows scripts with a specific hash

  • nonce-<random>

    Allows scripts with a specific nonce value

    Allows scripts with a specific nonce value

  • 'report-sample'

    Includes script samples in violation reports for debugging

    Includes script samples in violation reports for debugging

  • 'strict-dynamic'

    Allows scripts loaded by trusted scripts, ignoring allowlist and requiring nonces/hashes

    Allows scripts loaded by trusted scripts, ignoring allowlist and requiring nonces/hashes

  • 'unsafe-inline'

    Allows all inline scripts (not recommended)

    Allows all inline scripts (not recommended)

  • 'unsafe-eval'

    Allows the use of eval() and similar dynamic code execution methods (not recommended)

    Allows the use of eval() and similar dynamic code execution methods (not recommended)

Examples

  • Allows scripts from the same origin and a specific external site

    Content-Security-Policy: script-src 'self' https://example.com 'nonce-zf48z4fefDOg94qDef5EE6eFqzf15' ;

    Allowed

    <!-- allowed by 'self' -->
    <script src='/js/my_font.js'></script>
    
    <!-- allowed by https://example.com -->
    <script src='https://example.com/myfont.js'></script>
    
    <!-- allowed by nonce -->
    <script nonce='zf48z4fefDOg94qDef5EE6eFqzf15'>alert('Hello there');</script>

    Blocked

    <!-- blocked as the domain is not authorized -->
    <script src='https://malicious.file.com/hihi.js'></script>
    
    <!-- blocked as inline script is not allowed -->
    <script>alert('Hello there');</script>
    
    <!-- blocked as event handlers are not allowed -->
    <button onclick="alert('Hello there');">Click me</button>

Frequently Asked Questions

What is the script-src directive used for?

The script-src directive controls which scripts can be loaded and executed in your web application. It helps prevent Cross-Site Scripting (XSS) attacks by specifying trusted sources for JavaScript code.

Security Note

Avoid using 'unsafe-inline' and 'unsafe-eval' as they weaken protection against XSS attacks. Instead, use nonces or hashes for inline scripts when necessary.

What are the recommended values for script-src?

The most secure approach is to use 'self' for same-origin scripts, specific trusted domains for external scripts, and nonces/hashes for necessary inline scripts. For example: script-src 'self' https://trusted-cdn.com 'nonce-random123'

Best Practice

Always be explicit about which sources are allowed and avoid using wildcards (*) or overly permissive schemes like https:.

How do nonces work with script-src?

Nonces are random values that must match between your CSP header and script tags. For example, if your CSP includes script-src 'nonce-x4hd8', then scripts must include nonce='x4hd8' to execute. The nonce should be unique for each page load.

Implementation Note

Generate cryptographically secure nonces server-side and never reuse them across different page loads.

Need to monitor CSP violations and maintain it easily?

Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.

Set up your endpoint now

Learn more about other topics

Docs

CSP ScannerCSP EvaluatorReporting Endpoint

Contact


CentralSaaS © 2025