img-src
Theimg-src
directive controls which sources can be used to load images in your web application. It's an important CSP directive that helps prevent image-based attacks and ensures that only trusted image sources are loaded in your application.
Recommended Values
'self' Allows the resource to be loaded and executed
https://subdomain.domain.com/path Allows the resource to be loaded and executed
Recommended img-src configuration
Content-Security-Policy: img-src 'self' https://trusted-cdn.com;
Tips & Tricks
Using 'self' restricts images to the same origin, which is a good security baseline.
For third-party images, explicitly whitelist their domains instead of using broad permissions.
Using 'data:' allows inline images but can introduce security risks. Use only when necessary.
Using broad keywords like 'http:', 'https:', 'data:', 'mediastream:', 'filesystem:', 'blob:', 'link:' is too permissive and may introduce security vulnerabilities.
Possible Values
'none'
: No images are allowed'self'
: Only images from the same origin are allowed- URLs: Specific domains (e.g.,
https://trusted-cdn.com
) - Schemes: Protocol schemes (e.g.,
https:
,data:
)
Example Configurations
Example policy with multiple sources
CSP Header with multiple allowed domains
Content-Security-Policy: img-src 'self' https://trusted-cdn.com ;
Allowed
<!-- allowed by 'self' -->
<img src="/images/logo.png">
<!-- allowed by 'self' -->
<link rel="icon" href="/favicon.ico">
<!-- allowed by https://example.com -->
<link rel="icon" href="https://example.com/favicon.ico">
Blocked
<!-- blocked as the domain is not authorized -->
<img src='https://malicious.file.com/logo.png'>
<!-- blocked as the domain is not authorized -->
<link rel='icon' href='https://malicious.file.com/favicon.ico'>
Additional Information
- The
img-src
directive is important for preventing image-based attacks - If
img-src
is not specified, the browser falls back to thedefault-src
directive - Consider using Subresource Integrity (SRI) for third-party images when possible
- Be cautious with allowing
data:
URIs as they can be used for certain types of attacks
Related Resources
External Articles
- MDN Web Docs: img-src
- OWASP: Content Security Policy Cheat Sheet
- Google Web Fundamentals: Content Security Policy