default-src is the fallback directive for all fetch directives not explicitly listed. If you set default-src self and do not set font-src, fonts fall back to self. It does not cover frame-ancestors, form-action, or sandbox.

What is the difference between frame-src and frame-ancestors?

frame-src controls which URLs your page can embed in iframes. frame-ancestors controls who can embed your page. frame-ancestors replaces X-Frame-Options.

Is unsafe-inline always dangerous?

In script-src yes — it allows any inline script including injected ones, defeating XSS protection. In style-src it is less dangerous and often required for CSS-in-JS frameworks.

CSP Directives Cheatsheet 2026

Updated April 2026

Quick Answer CSP directives control which resources a page can load. default-src is the fallback for all. script-src controls JavaScript. style-src controls CSS. connect-src controls fetch/XHR. frame-ancestors replaces X-Frame-Options. Source values: 'self' = same origin, 'none' = block all, 'nonce-VALUE' = specific inline script.

Every Content Security Policy directive in one place — what it controls, valid source values, and examples. Updated for CSP Level 3.

Quick reference — fetch directives

Directive	Controls	Falls back to
`default-src`	Fallback for all fetch directives not listed	—
`script-src`	JavaScript files and inline scripts	default-src
`style-src`	CSS files and inline styles	default-src
`img-src`	Images (src attribute, CSS background-image)	default-src
`font-src`	Font files (woff, woff2, ttf)	default-src
`connect-src`	fetch, XHR, WebSocket, EventSource	default-src
`media-src`	Audio and video elements	default-src
`frame-src`	Frames loaded by your page (iframes)	child-src → default-src
`child-src`	Workers and frames (legacy)	default-src
`worker-src`	Web Workers, Service Workers	child-src → default-src
`object-src`	Flash, Java plugins (object, embed)	default-src
`manifest-src`	Web app manifests	default-src

Document directives

Directive	Controls
`base-uri`	URLs usable in <base> tag. Set to 'self' to prevent base tag injection
`frame-ancestors`	Who can embed your page in an iframe. Replaces X-Frame-Options
`form-action`	URLs forms can submit to
`sandbox`	Applies iframe-like sandbox restrictions to the page

Other directives

Directive	Controls
`upgrade-insecure-requests`	Rewrites HTTP to HTTPS for all subresource requests
`report-to`	Endpoint for violation reports (modern, use with Reporting-Endpoints header)
`report-uri`	URL for violation reports (deprecated, use for compatibility)
`require-trusted-types-for`	Requires Trusted Types for DOM XSS sinks

Source values

Value	Meaning
`'none'`	Block everything
`'self'`	Same origin only
`'unsafe-inline'`	Allow inline scripts/styles (defeats XSS protection)
`'unsafe-eval'`	Allow eval() and similar (dangerous)
`'strict-dynamic'`	Trust scripts loaded by already-trusted scripts (with nonce)
`'nonce-VALUE'`	Allow specific inline script/style with matching nonce attribute
`'sha256-HASH'`	Allow inline script/style matching this hash
`https:`	Any HTTPS source
`data:`	data: URIs (base64 images, etc)
`blob:`	Blob URLs
`https://example.com`	Specific origin
`*.example.com`	All subdomains of example.com

Minimal secure CSP

Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';

Report-only mode (deploy first)

# Use this header name to log violations without blocking anything
Content-Security-Policy-Report-Only: default-src 'self'; report-to csp-endpoint

Common third-party additions

# Google Analytics 4
script-src 'self' https://www.googletagmanager.com;
connect-src 'self' https://www.google-analytics.com;

# Google Fonts
style-src 'self' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com;

# Stripe
script-src 'self' https://js.stripe.com;
connect-src 'self' https://api.stripe.com;
frame-src 'self' https://js.stripe.com;

Generate CSP from your live page → CSPFixer Build CSP from scratch → CSP Generator