Host Source

The host-source is a fundamental component of Content Security Policy that allows you to specify which hosts can serve resources for your web application. It follows a specific format that includes scheme, host, port, and path components.

Format

The host-source follows this format: [scheme://] <host> [:port] [/path]

Components

Scheme (Optional)

The scheme component specifies the protocol used to access the resource.
  • https: Recommended for secure connections

  • wss: Secure WebSocket connections

  • http: Not recommended - unencrypted

  • ws: Not recommended - unencrypted WebSocket

Scheme Behavior

If no scheme is specified, the document's origin scheme is used. Secure upgrades are allowed (e.g., http://example.com will match https://example.com).

Host (Required)

The host component of a host-source specifies the domain or IP address from which resources can be loaded.
  • subdomain.domain.com Specific subdomain and domain

  • domain.com Specific domain (includes all subdomains)

  • ip-address Specific IP address (not recommended)

  • *.subdomain.domain.com All subdomains of a specific subdomain (use with caution)

  • *.domain.com All subdomains of a domain (use with caution)

  • * Any host (extremely permissive, avoid if possible)

IP Address Usage

Using IP addresses in host-sources is not recommended for production environments. They are harder to maintain, may change unexpectedly, and could bypass DNS-based security controls. Always prefer domain names unless absolutely necessary.

Wildcard Usage

The use of wildcards is allowed but not recommended as it is too broad. Only use wildcards when absolutely necessary, as they can significantly reduce the security benefits of your CSP.

Port (Optional)

The port component specifies the port number used to access the resource.
  • 0-65535 Any valid port number can be specified

Port Defaults

When no port is specified, the scheme's default port is used. HTTP and WS use port 80, while HTTPS and WSS use port 443.

Path (Optional)

The path component of a host-source specifies the path to the resource on the server.

Path Restrictions

When using paths in your host-source, be aware that they follow an exact matching pattern. A path of /api/ will not match /api/v1/. Consider using wildcards carefully if you need to match multiple paths under a directory.

  • /path/to/file.js Allows access to a specific file

  • /path/to/folder/ Allows access to all resources under that path

Notes

Wildcards cannot be used in the path component. If the path ends with a /, the CSP will allow all resources under that path.

Examples

Allows all resources under the /api/ directory

Content-Security-Policy: default-src https://example.com/api/;

Allows only the specific main.js file

Content-Security-Policy: default-src https://example.com/scripts/main.js;

Examples

Basic Examples

Basic host-source with HTTPS scheme

Content-Security-Policy: default-src https://example.com;

Host-source with explicit port

Content-Security-Policy: default-src https://example.com:443;

Advanced Examples

Allow all subdomains with HTTPS

Content-Security-Policy: default-src https://*.domain.com;

Specific path with custom port

Content-Security-Policy: default-src https://subdomain.domain.com:42/path/to/file.js;

WebSocket connection (also allows WSS)

Content-Security-Policy: default-src ws://domain.com;

Related Resources

External Articles

Related Documentation Sections