Host Source
The host-source is a fundamental component of Content Security Policy that allows you to specify which hosts can serve resources for your web application. It follows a specific format that includes scheme, host, port, and path components.Format
The host-source follows this format:[scheme://] <host> [:port] [/path]
Components
Scheme (Optional)
The scheme component specifies the protocol used to access the resource.https: Recommended for secure connections
wss: Secure WebSocket connections
http: Not recommended - unencrypted
ws: Not recommended - unencrypted WebSocket
Scheme Behavior
If no scheme is specified, the document's origin scheme is used. Secure upgrades are allowed (e.g., http://example.com will match https://example.com).
Host (Required)
The host component of a host-source specifies the domain or IP address from which resources can be loaded.subdomain.domain.com Specific subdomain and domain
domain.com Specific domain (includes all subdomains)
ip-address Specific IP address (not recommended)
*.subdomain.domain.com All subdomains of a specific subdomain (use with caution)
*.domain.com All subdomains of a domain (use with caution)
* Any host (extremely permissive, avoid if possible)
IP Address Usage
Using IP addresses in host-sources is not recommended for production environments. They are harder to maintain, may change unexpectedly, and could bypass DNS-based security controls. Always prefer domain names unless absolutely necessary.
Wildcard Usage
The use of wildcards is allowed but not recommended as it is too broad. Only use wildcards when absolutely necessary, as they can significantly reduce the security benefits of your CSP.
Port (Optional)
The port component specifies the port number used to access the resource.0-65535 Any valid port number can be specified
Port Defaults
When no port is specified, the scheme's default port is used. HTTP and WS use port 80, while HTTPS and WSS use port 443.
Path (Optional)
The path component of a host-source specifies the path to the resource on the server.Path Restrictions
When using paths in your host-source, be aware that they follow an exact matching pattern. A path of /api/ will not match /api/v1/. Consider using wildcards carefully if you need to match multiple paths under a directory.
/path/to/file.js Allows access to a specific file
/path/to/folder/ Allows access to all resources under that path
Notes
Wildcards cannot be used in the path component. If the path ends with a /, the CSP will allow all resources under that path.
Examples
Allows all resources under the /api/ directory
Content-Security-Policy: default-src https://example.com/api/;
Allows only the specific main.js file
Content-Security-Policy: default-src https://example.com/scripts/main.js;
Examples
Basic Examples
Basic host-source with HTTPS scheme
Content-Security-Policy: default-src https://example.com;
Host-source with explicit port
Content-Security-Policy: default-src https://example.com:443;
Advanced Examples
Allow all subdomains with HTTPS
Content-Security-Policy: default-src https://*.domain.com;
Specific path with custom port
Content-Security-Policy: default-src https://subdomain.domain.com:42/path/to/file.js;
WebSocket connection (also allows WSS)
Content-Security-Policy: default-src ws://domain.com;