default-src

The default-src directive serves as the fallback for other CSP directives that are not explicitly specified. It's one of the most fundamental directives in Content Security Policy and should be carefully configured as it affects multiple aspects of your web application's security.

Recommended Values

Recommanded default-src configuration

Content-Security-Policy: default-src 'none';

Tips & Tricks

  • Use 'none' as the default-src value this is the most secure configuration and will block all resources by default

  • default-src is a fallback directive if a more specific fetch directive is defined, it will override default-src for that resource type

  • Do not use 'unsafe-inline' and 'unsafe-eval' these introduce security vulnerabilities.

Possible Values

  • 'none': No sources are allowed
  • 'self': Only resources from the same origin are allowed
  • 'strict-dynamic': Trusts explicitly marked scripts and their dependencies
  • 'report-sample': Includes a sample of the violating code in violation reports
  • URLs: Specific domains or paths (e.g., https://my.example.com/path/)
  • Schemes: Protocol schemes (e.g., https:, data:)
  • Wildcards: * for subdomains (e.g., *.example.com)
  • ⚠️'unsafe-inline': Allows inline scripts and styles (insecure)
  • ⚠️'unsafe-eval': Allows dynamic code evaluation (insecure)
Learn more about the possible values

Relationships and Interactions

The default-src directive serves as a fallback for the following directives when they are not explicitly specified:

Example Configurations

Example policy

CSP Header

Content-Security-Policy: default-src 'self' https://trusted-cdn.com"

Allowed

<!-- allowed as trusted-cdn.com is allowed -->
<script src="https://trusted-cdn.com/script.js"></script>

<!-- allowed as self origin is allowed -->
<script src="/script.js"></script>

<!-- allowed as image is allowed -->
<img src="https://trusted-cdn.com/image.jpg" alt="Trusted image">

Blocked

<!-- blocked as inline image is not allowed -->
<img src="data:image/png;base64,..." alt="Blocked inline image">

<!-- blocked as the domain is not authorized -->
<script src='https://malicious.file.com/hihi.js'></script>

<!-- blocked as inline script is not allowed -->
<script>alert('Hello there');</script>

<!-- blocked as event handlers are not allowed -->
<button onclick="alert('Hello there');">Click me</button>

<!-- blocked as eval is not allowed -->
eval('alert("Blocked!")');

<!-- blocked as new Function is not allowed (unsafe-eval) -->
new Function('alert("Blocked!")')();

Additional Information

  • The default-src directive is mandatory for effective CSP implementation
  • It's recommended to start with a restrictive policy and gradually relax it based on application needs
  • Consider using the Content-Security-Policy-Report-Only header for testing CSP configurations
  • The report-uri or report-to directive can be used to collect violation reports

Related Resources

External Articles

Related Documentation Sections