base-uri

The base-uri directive restricts the URLs which can be used in a document's <base> element. This directive helps prevent attackers from changing the base URL, which could redirect relative URLs to malicious sites. If this directive is absent, the user agent will use the value in the <base> element, potentially allowing any URI to be used.

Recommended Values

  • 'self' Restricts base URLs to the same origin as the document

Recommended base-uri configuration

Content-Security-Policy: base-uri 'self';

Tips & Tricks

  • unsafe-inline & strict-dynamic does not apply to base-uri

  • If not specified, any URI can be used in the <base> element, which could potentially be exploited.

Possible Values

  • 'self': Only base URLs from the same origin are allowed
  • URLs: Specific domains (e.g., https://trusted-domain.com)
  • Schemes: Protocol schemes (e.g., https:)

Example Configurations

Restricts base element to same origin

Restricts base element to same origin

Content-Security-Policy: base-uri 'self';

Allowed

<base href="https://mywebsite.com/">

Blocked

<base href="https://otherwebsite.com/">

Additional Information

  • The base-uri directive is important for controlling the base URL used for relative URLs in your document
  • It helps prevent attackers from manipulating the base URL to redirect requests to malicious endpoints
  • Using 'self' is recommended as it ensures base URLs remain within your trusted domain

Related Resources

External Articles

Related Documentation Sections