Home

Defaultsrc

Default-src is a directive in Content Security Policy (CSP) that sets a default rule for loading resources. It serves as a fallback for all resource types that do not have their own explicit directive, such as script-src, img-src, or style-src.

The value of default-src is a source list. This list can include 'self' to refer to the

Interaction with other directives: If a resource type has a more specific directive, that directive takes precedence

Practical considerations: Using a restrictive default-src helps reduce exposure to cross-origin attacks and data exfiltration, but

Policy deployment: The directive is delivered via the Content-Security-Policy header or a meta tag. An example

origin
of
the
protected
document,
'none'
to
disallow
all
loading,
and
origins
or
schemes
such
as
https://example.com
or
https:.
It
can
also
include
other
allowed
keywords
depending
on
the
browser.
A
policy
like
default-src
'self'
https://cdn.example.com
allows
resources
from
the
same
origin
and
from
the
specified
CDN.
for
that
type.
For
example,
script-src
controls
JavaScript
regardless
of
default-src,
while
images
loaded
from
a
permitted
origin
under
default-src
will
require
nothing
more
specific
if
img-src
is
not
set.
too
permissive
settings
weaken
protection.
It
is
common
to
combine
a
restrictive
default-src
with
tighter
script-src
and
img-src
values,
and
to
avoid
unsafe-inline
or
unsafe-eval
unless
necessary.
For
inline
scripts
or
styles,
consider
using
nonces
or
hashes
with
specific
directives.
header
is
Content-Security-Policy:
default-src
'self'
https://cdn.example.com;
img-src
'self'
data:;
This
provides
a
simple
baseline
that
can
be
extended
with
more
granular
directives.
Browser
support
is
strong
across
modern
browsers.