content-security-policy · source lists · presets · copy header value · runs locally
optional — iframes / embeds
optional reporting endpoint
default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'
Use as: Content-Security-Policy: default-src 'self'; script-src 'self'; s…