default-src
Thedefault-src
directive serves as the fallback for other CSP directives that are not explicitly specified. It's one of the most fundamental directives in Content Security Policy and should be carefully configured as it affects multiple aspects of your web application's security.
Recommended Values
'self' Allows the resource to be loaded and executed
'none' No sources are allowed
Recommanded default-src configuration
Content-Security-Policy: default-src 'none';
Tips & Tricks
Use 'none' as the default-src value this is the most secure configuration and will block all resources by default
default-src is a fallback directive if a more specific fetch directive is defined, it will override default-src for that resource type
Do not use 'unsafe-inline' and 'unsafe-eval' these introduce security vulnerabilities.
Possible Values
'none'
: No sources are allowed'self'
: Only resources from the same origin are allowed'strict-dynamic'
: Trusts explicitly marked scripts and their dependencies'report-sample'
: Includes a sample of the violating code in violation reports- URLs: Specific domains or paths (e.g.,
https://my.example.com/path/
) - Schemes: Protocol schemes (e.g.,
https:
,data:
) - Wildcards:
*
for subdomains (e.g.,*.example.com
) - ⚠️
'unsafe-inline'
: Allows inline scripts and styles (insecure) - ⚠️
'unsafe-eval'
: Allows dynamic code evaluation (insecure)
Relationships and Interactions
Thedefault-src
directive serves as a fallback for the following directives when they are not explicitly specified:
script-src
style-src
font-src
img-src
connect-src
worker-src
object-src
media-src
manifest-src
frame-src
prefetch-src
child-src
Example Configurations
Example policy
CSP Header
Content-Security-Policy: default-src 'self' https://trusted-cdn.com"
Allowed
<!-- allowed as trusted-cdn.com is allowed -->
<script src="https://trusted-cdn.com/script.js"></script>
<!-- allowed as self origin is allowed -->
<script src="/script.js"></script>
<!-- allowed as image is allowed -->
<img src="https://trusted-cdn.com/image.jpg" alt="Trusted image">
Blocked
<!-- blocked as inline image is not allowed -->
<img src="data:image/png;base64,..." alt="Blocked inline image">
<!-- blocked as the domain is not authorized -->
<script src='https://malicious.file.com/hihi.js'></script>
<!-- blocked as inline script is not allowed -->
<script>alert('Hello there');</script>
<!-- blocked as event handlers are not allowed -->
<button onclick="alert('Hello there');">Click me</button>
<!-- blocked as eval is not allowed -->
eval('alert("Blocked!")');
<!-- blocked as new Function is not allowed (unsafe-eval) -->
new Function('alert("Blocked!")')();
Additional Information
- The
default-src
directive is mandatory for effective CSP implementation - It's recommended to start with a restrictive policy and gradually relax it based on application needs
- Consider using the
Content-Security-Policy-Report-Only
header for testing CSP configurations - The
report-uri
orreport-to
directive can be used to collect violation reports
Related Resources
External Articles
- MDN Web Docs: Content-Security-Policy
- OWASP: Content Security Policy Cheat Sheet
- Google Web Fundamentals: Content Security Policy