Title here
Summary here
Content Security Policy
Content Security Policy (CSP) reduces XSS risk by restricting where scripts, styles, fonts, and other resources can load from.
Start with a strict baseline
Use self by default and add only domains your site actually needs.
[[headers]]
for = "/*"
[headers.values]
Content-Security-Policy = "default-src 'self'; manifest-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self'; frame-ancestors 'none'; base-uri 'self'; object-src 'none'"Handle inline and third-party scripts explicitly
If inline scripts are required, prefer nonces or hashes instead of unsafe-inline.
- Nonce: good when values are generated per response
- Hash: good for stable inline snippets
- Third-party sources: add only exact hosts you trust
Roll out with report-only first
Deploy a Content-Security-Policy-Report-Only header, review violations, then enforce once clean.
Keep CSP aligned with asset strategy
Thulite/Core generates fingerprinted assets and SRI attributes, which work well with a strict CSP. When integrations change, re-check CSP so new endpoints and assets are explicitly allowed.
Verify after every release
In browser dev tools, confirm:
- No blocked first-party scripts or styles
- No unexpected external domains
- No CSP violations on key pages
Related
Next
Headers