CINXE.COM

Content-Security-Policy - HTTP | MDN

<!doctype html><html lang="en-US" prefix="og: https://ogp.me/ns#"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><link rel="icon" href="https://developer.mozilla.org/favicon-48x48.bc390275e955dacb2e65.png"/><link rel="apple-touch-icon" href="https://developer.mozilla.org/apple-touch-icon.528534bba673c38049c2.png"/><meta name="theme-color" content="#ffffff"/><link rel="manifest" href="https://developer.mozilla.org/manifest.f42880861b394dd4dc9b.json"/><link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="MDN Web Docs"/><title>Content-Security-Policy - HTTP | MDN</title><link rel="alternate" title="Content-Security-Policy" href="https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Content-Security-Policy" hrefLang="de"/><link rel="alternate" title="Content-Security-Policy" href="https://developer.mozilla.org/es/docs/Web/HTTP/Headers/Content-Security-Policy" hrefLang="es"/><link rel="alternate" title="Politique de sécurité de contenu" href="https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Content-Security-Policy" hrefLang="fr"/><link rel="alternate" title="Content-Security-Policy" href="https://developer.mozilla.org/ja/docs/Web/HTTP/Headers/Content-Security-Policy" hrefLang="ja"/><link rel="alternate" title="Content-Security-Policy" href="https://developer.mozilla.org/pt-BR/docs/Web/HTTP/Headers/Content-Security-Policy" hrefLang="pt"/><link rel="alternate" title="Content-Security-Policy" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Content-Security-Policy" hrefLang="zh"/><link rel="alternate" title="Content-Security-Policy" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" hrefLang="en"/><link rel="preload" as="font" type="font/woff2" href="/static/media/Inter.var.c2fe3cb2b7c746f7966a.woff2" crossorigin=""/><link rel="alternate" type="application/rss+xml" title="MDN Blog RSS Feed" href="https://developer.mozilla.org/en-US/blog/rss.xml" hrefLang="en"/><meta name="description" content="The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks."/><meta property="og:url" content="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"/><meta property="og:title" content="Content-Security-Policy - HTTP | MDN"/><meta property="og:type" content="website"/><meta property="og:locale" content="en_US"/><meta property="og:description" content="The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks."/><meta property="og:image" content="https://developer.mozilla.org/mdn-social-share.d893525a4fb5fb1f67a2.png"/><meta property="og:image:type" content="image/png"/><meta property="og:image:height" content="1080"/><meta property="og:image:width" content="1920"/><meta property="og:image:alt" content="The MDN Web Docs logo, featuring a blue accent color, displayed on a solid black background."/><meta property="og:site_name" content="MDN Web Docs"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:creator" content="MozDevNet"/><link rel="canonical" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"/><style media="print">.article-actions-container,.document-toc-container,.language-menu,.main-menu-toggle,.on-github,.page-footer,.place,.sidebar,.top-banner,.top-navigation-main,ul.prev-next{display:none!important}.main-page-content,.main-page-content pre{padding:2px}.main-page-content pre{border-left-width:2px}</style><script src="/static/js/gtag.js" defer=""></script><script defer="" src="/static/js/main.5e889624.js"></script><link href="/static/css/main.26c64ea7.css" rel="stylesheet"/></head><body><script>if(document.body.addEventListener("load",(t=>{t.target.classList.contains("interactive")&&t.target.setAttribute("data-readystate","complete")}),{capture:!0}),window&&document.documentElement){const t={light:"#ffffff",dark:"#1b1b1b"};try{const e=window.localStorage.getItem("theme");e&&(document.documentElement.className=e,document.documentElement.style.backgroundColor=t[e]);const o=window.localStorage.getItem("nop");o&&(document.documentElement.dataset.nop=o)}catch(t){console.warn("Unable to read theme from localStorage",t)}}</script><div id="root"><ul id="nav-access" class="a11y-nav"><li><a id="skip-main" href="#content">Skip to main content</a></li><li><a id="skip-search" href="#top-nav-search-input">Skip to search</a></li><li><a id="skip-select-language" href="#languages-switcher-button">Skip to select language</a></li></ul><div class="page-wrapper category-http document-page"><div class="top-banner loading"><section class="place top container"></section></div><div class="sticky-header-container"><header class="top-navigation "><div class="container "><div class="top-navigation-wrap"><a href="/en-US/" class="logo" aria-label="MDN homepage"><svg id="mdn-docs-logo" xmlns="http://www.w3.org/2000/svg" x="0" y="0" viewBox="0 0 694.9 104.4" style="enable-background:new 0 0 694.9 104.4" xml:space="preserve" role="img"><title>MDN Web Docs</title><path d="M40.3 0 11.7 92.1H0L28.5 0h11.8zm10.4 0v92.1H40.3V0h10.4zM91 0 62.5 92.1H50.8L79.3 0H91zm10.4 0v92.1H91V0h10.4z" class="logo-m"></path><path d="M627.9 95.6h67v8.8h-67v-8.8z" class="logo-_"></path><path d="M367 42h-4l-10.7 30.8h-5.5l-10.8-26h-.4l-10.5 26h-5.2L308.7 42h-3.8v-5.6H323V42h-6.5l6.8 20.4h.4l10.3-26h4.7l11.2 26h.5l5.7-20.3h-6.2v-5.6H367V42zm34.9 20c-.4 3.2-2 5.9-4.7 8.2-2.8 2.3-6.5 3.4-11.3 3.4-5.4 0-9.7-1.6-13.1-4.7-3.3-3.2-5-7.7-5-13.7 0-5.7 1.6-10.3 4.7-14s7.4-5.5 12.9-5.5c5.1 0 9.1 1.6 11.9 4.7s4.3 6.9 4.3 11.3c0 1.5-.2 3-.5 4.7h-25.6c.3 7.7 4 11.6 10.9 11.6 2.9 0 5.1-.7 6.5-2 1.5-1.4 2.5-3 3-4.9l6 .9zM394 51.3c.2-2.4-.4-4.7-1.8-6.9s-3.8-3.3-7-3.3c-3.1 0-5.3 1-6.9 3-1.5 2-2.5 4.4-2.8 7.2H394zm51 2.4c0 5-1.3 9.5-4 13.7s-6.9 6.2-12.7 6.2c-6 0-10.3-2.2-12.7-6.7-.1.4-.2 1.4-.4 2.9s-.3 2.5-.4 2.9h-7.3c.3-1.7.6-3.5.8-5.3.3-1.8.4-3.7.4-5.5V22.3h-6v-5.6H416v27c1.1-2.2 2.7-4.1 4.7-5.7 2-1.6 4.8-2.4 8.4-2.4 4.6 0 8.4 1.6 11.4 4.7 3 3.2 4.5 7.6 4.5 13.4zm-7.7.6c0-4.2-1-7.4-3-9.5-2-2.2-4.4-3.3-7.4-3.3-3.4 0-6 1.2-8 3.7-1.9 2.4-2.9 5-3 7.7V57c0 3 1 5.6 3 7.7s4.5 3.1 7.6 3.1c3.6 0 6.3-1.3 8.1-3.9 1.8-2.7 2.7-5.9 2.7-9.6zm69.2 18.5h-13.2v-7.2c-1.2 2.2-2.8 4.1-4.9 5.6-2.1 1.6-4.8 2.4-8.3 2.4-4.8 0-8.7-1.6-11.6-4.9-2.9-3.2-4.3-7.7-4.3-13.3 0-5 1.3-9.6 4-13.7 2.6-4.1 6.9-6.2 12.8-6.2 5.7 0 9.8 2.2 12.3 6.5V22.3h-8.6v-5.6h15.8v50.6h6v5.5zM493.2 56v-4.4c-.1-3-1.2-5.5-3.2-7.3s-4.4-2.8-7.2-2.8c-3.6 0-6.3 1.3-8.2 3.9-1.9 2.6-2.8 5.8-2.8 9.6 0 4.1 1 7.3 3 9.5s4.5 3.3 7.4 3.3c3.2 0 5.8-1.3 7.8-3.8 2.1-2.6 3.1-5.3 3.2-8zm53.1-1.4c0 5.6-1.8 10.2-5.3 13.7s-8.2 5.3-13.9 5.3-10.1-1.7-13.4-5.1c-3.3-3.4-5-7.9-5-13.5 0-5.3 1.6-9.9 4.7-13.7 3.2-3.8 7.9-5.7 14.2-5.7s11 1.9 14.1 5.7c3 3.7 4.6 8.1 4.6 13.3zm-7.7-.2c0-4-1-7.2-3-9.5s-4.8-3.5-8.2-3.5c-3.6 0-6.4 1.2-8.3 3.7s-2.9 5.6-2.9 9.5c0 3.7.9 6.8 2.8 9.4 1.9 2.6 4.6 3.9 8.3 3.9 3.6 0 6.4-1.3 8.4-3.8 1.9-2.6 2.9-5.8 2.9-9.7zm45 5.8c-.4 3.2-1.9 6.3-4.4 9.1-2.5 2.9-6.4 4.3-11.8 4.3-5.2 0-9.4-1.6-12.6-4.8-3.2-3.2-4.8-7.7-4.8-13.7 0-5.5 1.6-10.1 4.7-13.9 3.2-3.8 7.6-5.7 13.2-5.7 2.3 0 4.6.3 6.7.8 2.2.5 4.2 1.5 6.2 2.9l1.5 9.5-5.9.7-1.3-6.1c-2.1-1.2-4.5-1.8-7.2-1.8-3.5 0-6.1 1.2-7.7 3.7-1.7 2.5-2.5 5.7-2.5 9.6 0 4.1.9 7.3 2.7 9.5 1.8 2.3 4.4 3.4 7.8 3.4 5.2 0 8.2-2.9 9.2-8.8l6.2 1.3zm34.7 1.9c0 3.6-1.5 6.5-4.6 8.5s-7 3-11.7 3c-5.7 0-10.6-1.2-14.6-3.6l1.2-8.8 5.7.6-.2 4.7c1.1.5 2.3.9 3.6 1.1s2.6.3 3.9.3c2.4 0 4.5-.4 6.5-1.3 1.9-.9 2.9-2.2 2.9-4.1 0-1.8-.8-3.1-2.3-3.8s-3.5-1.3-5.8-1.7-4.6-.9-6.9-1.4c-2.3-.6-4.2-1.6-5.7-2.9-1.6-1.4-2.3-3.5-2.3-6.3 0-4.1 1.5-6.9 4.6-8.5s6.4-2.4 9.9-2.4c2.6 0 5 .3 7.2.9 2.2.6 4.3 1.4 6.1 2.4l.8 8.8-5.8.7-.8-5.7c-2.3-1-4.7-1.6-7.2-1.6-2.1 0-3.7.4-5.1 1.1-1.3.8-2 2-2 3.8 0 1.7.8 2.9 2.3 3.6 1.5.7 3.4 1.2 5.7 1.6 2.2.4 4.5.8 6.7 1.4 2.2.6 4.1 1.6 5.7 3 1.4 1.6 2.2 3.7 2.2 6.6zM197.6 73.2h-17.1v-5.5h3.8V51.9c0-3.7-.7-6.3-2.1-7.9-1.4-1.6-3.3-2.3-5.7-2.3-3.2 0-5.6 1.1-7.2 3.4s-2.4 4.6-2.5 6.9v15.6h6v5.5h-17.1v-5.5h3.8V51.9c0-3.8-.7-6.4-2.1-7.9-1.4-1.5-3.3-2.3-5.6-2.3-3.2 0-5.5 1.1-7.2 3.3-1.6 2.2-2.4 4.5-2.5 6.9v15.8h6.9v5.5h-20.2v-5.5h6V42.4h-6.1v-5.6h13.4v6.4c1.2-2.1 2.7-3.8 4.7-5.2 2-1.3 4.4-2 7.3-2s5.3.7 7.5 2.1c2.2 1.4 3.7 3.5 4.5 6.4 1.1-2.5 2.7-4.5 4.9-6.1s4.8-2.4 7.9-2.4c3.5 0 6.5 1.1 8.9 3.3s3.7 5.6 3.7 10.2v18.2h6.1v5.5zm42.5 0h-13.2V66c-1.2 2.2-2.8 4.1-4.9 5.6-2.1 1.6-4.8 2.4-8.3 2.4-4.8 0-8.7-1.6-11.6-4.9-2.9-3.2-4.3-7.7-4.3-13.3 0-5 1.3-9.6 4-13.7 2.6-4.1 6.9-6.2 12.8-6.2s9.8 2.2 12.3 6.5V22.7h-8.6v-5.6h15.8v50.6h6v5.5zm-13.3-16.8V52c-.1-3-1.2-5.5-3.2-7.3s-4.4-2.8-7.2-2.8c-3.6 0-6.3 1.3-8.2 3.9-1.9 2.6-2.8 5.8-2.8 9.6 0 4.1 1 7.3 3 9.5s4.5 3.3 7.4 3.3c3.2 0 5.8-1.3 7.8-3.8 2.1-2.6 3.1-5.3 3.2-8zm61.5 16.8H269v-5.5h6V51.9c0-3.7-.7-6.3-2.2-7.9-1.4-1.6-3.4-2.3-5.7-2.3-3.1 0-5.6 1-7.4 3s-2.8 4.4-2.9 7v15.9h6v5.5h-19.3v-5.5h6V42.4h-6.2v-5.6h13.6V43c2.6-4.6 6.8-6.9 12.7-6.9 3.6 0 6.7 1.1 9.2 3.3s3.7 5.6 3.7 10.2v18.2h6v5.4h-.2z" class="logo-text"></path></svg></a><button title="Open main menu" type="button" class="button action has-icon main-menu-toggle" aria-haspopup="menu" aria-label="Open main menu" aria-expanded="false"><span class="button-wrap"><span class="icon icon-menu "></span><span class="visually-hidden">Open main menu</span></span></button></div><div class="top-navigation-main"><nav class="main-nav" aria-label="Main menu"><ul class="main-menu nojs"><li class="top-level-entry-container active"><button type="button" id="references-button" class="top-level-entry menu-toggle" aria-controls="references-menu" aria-expanded="false">References</button><a href="/en-US/docs/Web" class="top-level-entry">References</a><ul id="references-menu" class="submenu references hidden inline-submenu-lg" aria-labelledby="references-button"><li class="apis-link-container mobile-only "><a href="/en-US/docs/Web" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview / Web Technology</div><p class="submenu-item-description">Web technology reference for developers</p></div></a></li><li class="html-link-container "><a href="/en-US/docs/Web/HTML" class="submenu-item "><div class="submenu-icon html"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTML</div><p class="submenu-item-description">Structure of content on the web</p></div></a></li><li class="css-link-container "><a href="/en-US/docs/Web/CSS" class="submenu-item "><div class="submenu-icon css"></div><div class="submenu-content-container"><div class="submenu-item-heading">CSS</div><p class="submenu-item-description">Code used to describe document style</p></div></a></li><li class="javascript-link-container "><a href="/en-US/docs/Web/JavaScript" class="submenu-item "><div class="submenu-icon javascript"></div><div class="submenu-content-container"><div class="submenu-item-heading">JavaScript</div><p class="submenu-item-description">General-purpose scripting language</p></div></a></li><li class="http-link-container "><a href="/en-US/docs/Web/HTTP" class="submenu-item "><div class="submenu-icon http"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTTP</div><p class="submenu-item-description">Protocol for transmitting web resources</p></div></a></li><li class="apis-link-container "><a href="/en-US/docs/Web/API" class="submenu-item "><div class="submenu-icon apis"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web APIs</div><p class="submenu-item-description">Interfaces for building web applications</p></div></a></li><li class="apis-link-container "><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web Extensions</div><p class="submenu-item-description">Developing extensions for web browsers</p></div></a></li><li class="apis-link-container desktop-only "><a href="/en-US/docs/Web" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web Technology</div><p class="submenu-item-description">Web technology reference for developers</p></div></a></li></ul></li><li class="top-level-entry-container "><button type="button" id="guides-button" class="top-level-entry menu-toggle" aria-controls="guides-menu" aria-expanded="false">Guides</button><a href="/en-US/docs/Learn" class="top-level-entry">Guides</a><ul id="guides-menu" class="submenu guides hidden inline-submenu-lg" aria-labelledby="guides-button"><li class="apis-link-container mobile-only "><a href="/en-US/docs/Learn" class="submenu-item "><div class="submenu-icon learn"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview / MDN Learning Area</div><p class="submenu-item-description">Learn web development</p></div></a></li><li class="apis-link-container desktop-only "><a href="/en-US/docs/Learn" class="submenu-item "><div class="submenu-icon learn"></div><div class="submenu-content-container"><div class="submenu-item-heading">MDN Learning Area</div><p class="submenu-item-description">Learn web development</p></div></a></li><li class="html-link-container "><a href="/en-US/docs/Learn/HTML" class="submenu-item "><div class="submenu-icon html"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTML</div><p class="submenu-item-description">Learn to structure web content with HTML</p></div></a></li><li class="css-link-container "><a href="/en-US/docs/Learn/CSS" class="submenu-item "><div class="submenu-icon css"></div><div class="submenu-content-container"><div class="submenu-item-heading">CSS</div><p class="submenu-item-description">Learn to style content using CSS</p></div></a></li><li class="javascript-link-container "><a href="/en-US/docs/Learn/JavaScript" class="submenu-item "><div class="submenu-icon javascript"></div><div class="submenu-content-container"><div class="submenu-item-heading">JavaScript</div><p class="submenu-item-description">Learn to run scripts in the browser</p></div></a></li><li class=" "><a href="/en-US/docs/Web/Accessibility" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Accessibility</div><p class="submenu-item-description">Learn to make the web accessible to all</p></div></a></li></ul></li><li class="top-level-entry-container "><button type="button" id="mdn-plus-button" class="top-level-entry menu-toggle" aria-controls="mdn-plus-menu" aria-expanded="false">Plus</button><a href="/en-US/plus" class="top-level-entry">Plus</a><ul id="mdn-plus-menu" class="submenu mdn-plus hidden inline-submenu-lg" aria-labelledby="mdn-plus-button"><li class=" "><a href="/en-US/plus" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview</div><p class="submenu-item-description">A customized MDN experience</p></div></a></li><li class=" "><a href="/en-US/plus/ai-help" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">AI Help</div><p class="submenu-item-description">Get real-time assistance and support</p></div></a></li><li class=" "><a href="/en-US/plus/updates" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Updates</div><p class="submenu-item-description">All browser compatibility updates at a glance</p></div></a></li><li class=" "><a href="/en-US/plus/docs/features/overview" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Documentation</div><p class="submenu-item-description">Learn how to use MDN Plus</p></div></a></li><li class=" "><a href="/en-US/plus/docs/faq" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">FAQ</div><p class="submenu-item-description">Frequently asked questions about MDN Plus</p></div></a></li></ul></li><li class="top-level-entry-container "><a class="top-level-entry menu-link" href="/en-US/curriculum/">Curriculum <sup class="new">New</sup></a></li><li class="top-level-entry-container "><a class="top-level-entry menu-link" href="/en-US/blog/">Blog</a></li><li class="top-level-entry-container "><button type="button" id="tools-button" class="top-level-entry menu-toggle" aria-controls="tools-menu" aria-expanded="false">Tools</button><ul id="tools-menu" class="submenu tools hidden inline-submenu-lg" aria-labelledby="tools-button"><li class=" "><a href="/en-US/play" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Playground</div><p class="submenu-item-description">Write, test and share your code</p></div></a></li><li class=" "><a href="/en-US/observatory" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTTP Observatory</div><p class="submenu-item-description">Scan a website for free</p></div></a></li><li class=" "><a href="/en-US/plus/ai-help" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">AI Help</div><p class="submenu-item-description">Get real-time assistance and support</p></div></a></li></ul></li></ul></nav><div class="header-search"><form action="/en-US/search" class="search-form search-widget" id="top-nav-search-form" role="search"><label id="top-nav-search-label" for="top-nav-search-input" class="visually-hidden">Search MDN</label><input aria-activedescendant="" aria-autocomplete="list" aria-controls="top-nav-search-menu" aria-expanded="false" aria-labelledby="top-nav-search-label" autoComplete="off" id="top-nav-search-input" role="combobox" type="search" class="search-input-field" name="q" placeholder="   " required="" value=""/><button type="button" class="button action has-icon clear-search-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear search input</span></span></button><button type="submit" class="button action has-icon search-button"><span class="button-wrap"><span class="icon icon-search "></span><span class="visually-hidden">Search</span></span></button><div id="top-nav-search-menu" role="listbox" aria-labelledby="top-nav-search-label"></div></form></div><div class="theme-switcher-menu"><button type="button" class="button action has-icon theme-switcher-menu small" aria-haspopup="menu"><span class="button-wrap"><span class="icon icon-theme-os-default "></span>Theme</span></button></div><ul class="auth-container"><li><a href="/users/fxa/login/authenticate/?next=%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FContent-Security-Policy" class="login-link" rel="nofollow">Log in</a></li><li><a href="/users/fxa/login/authenticate/?next=%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FContent-Security-Policy" target="_self" rel="nofollow" class="button primary mdn-plus-subscribe-link"><span class="button-wrap">Sign up for free</span></a></li></ul></div></div></header><div class="article-actions-container"><div class="container"><button type="button" class="button action has-icon sidebar-button" aria-label="Expand sidebar" aria-expanded="false" aria-controls="sidebar-quicklinks"><span class="button-wrap"><span class="icon icon-sidebar "></span></span></button><nav class="breadcrumbs-container" aria-label="Breadcrumb"><ol typeof="BreadcrumbList" vocab="https://schema.org/" aria-label="breadcrumbs"><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web" class="breadcrumb" property="item" typeof="WebPage"><span property="name">References</span></a><meta property="position" content="1"/></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web/HTTP" class="breadcrumb" property="item" typeof="WebPage"><span property="name">HTTP</span></a><meta property="position" content="2"/></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web/HTTP/Headers" class="breadcrumb" property="item" typeof="WebPage"><span property="name">Headers</span></a><meta property="position" content="3"/></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" class="breadcrumb-current-page" property="item" typeof="WebPage"><span property="name">Content-Security-Policy</span></a><meta property="position" content="4"/></li></ol></nav><div class="article-actions"><button type="button" class="button action has-icon article-actions-toggle" aria-label="Article actions"><span class="button-wrap"><span class="icon icon-ellipses "></span><span class="article-actions-dialog-heading">Article Actions</span></span></button><ul class="article-actions-entries"><li class="article-actions-entry"><div class="languages-switcher-menu open-on-focus-within"><button id="languages-switcher-button" type="button" class="button action small has-icon languages-switcher-menu" aria-haspopup="menu"><span class="button-wrap"><span class="icon icon-language "></span>English (US)</span></button><div class="hidden"><ul class="submenu language-menu " aria-labelledby="language-menu-button"><li class=" "><form class="submenu-item locale-redirect-setting"><div class="group"><label class="switch"><input type="checkbox" name="locale-redirect"/><span class="slider"></span><span class="label">Remember language</span></label><a href="https://github.com/orgs/mdn/discussions/739" rel="external noopener noreferrer" target="_blank" title="Enable this setting to automatically switch to this language when it&#x27;s available. (Click to learn more.)"><span class="icon icon-question-mark "></span></a></div></form></li><li class=" "><a data-locale="de" href="/de/docs/Web/HTTP/Headers/Content-Security-Policy" class="button submenu-item"><span>Deutsch</span><span title="Diese Übersetzung ist Teil eines Experiments."><span class="icon icon-experimental "></span></span></a></li><li class=" "><a data-locale="es" href="/es/docs/Web/HTTP/Headers/Content-Security-Policy" class="button submenu-item"><span>Español</span></a></li><li class=" "><a data-locale="fr" href="/fr/docs/Web/HTTP/Headers/Content-Security-Policy" class="button submenu-item"><span>Français</span></a></li><li class=" "><a data-locale="ja" href="/ja/docs/Web/HTTP/Headers/Content-Security-Policy" class="button submenu-item"><span>日本語</span></a></li><li class=" "><a data-locale="pt-BR" href="/pt-BR/docs/Web/HTTP/Headers/Content-Security-Policy" class="button submenu-item"><span>Português (do Brasil)</span></a></li><li class=" "><a data-locale="zh-CN" href="/zh-CN/docs/Web/HTTP/Headers/Content-Security-Policy" class="button submenu-item"><span>中文 (简体)</span></a></li></ul></div></div></li></ul></div></div></div></div><div class="main-wrapper"><div class="sidebar-container"><aside id="sidebar-quicklinks" class="sidebar" data-macro="HTTPSidebar"><button type="button" class="button action backdrop" aria-label="Collapse sidebar"><span class="button-wrap"></span></button><nav aria-label="Related Topics" class="sidebar-inner"><header class="sidebar-actions"><section class="sidebar-filter-container"><div class="sidebar-filter "><label id="sidebar-filter-label" class="sidebar-filter-label" for="sidebar-filter-input"><span class="icon icon-filter"></span><span class="visually-hidden">Filter sidebar</span></label><input id="sidebar-filter-input" autoComplete="off" class="sidebar-filter-input-field false" type="text" placeholder="Filter" value=""/><button type="button" class="button action has-icon clear-sidebar-filter-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear filter input</span></span></button></div></section></header><div class="sidebar-inner-nav"><div class="in-nav-toc"><div class="document-toc-container"><section class="document-toc"><header><h2 class="document-toc-heading">In this article</h2></header><ul class="document-toc-list"><li class="document-toc-item "><a class="document-toc-link" href="#syntax">Syntax</a></li><li class="document-toc-item "><a class="document-toc-link" href="#directives">Directives</a></li><li class="document-toc-item "><a class="document-toc-link" href="#fetch_directive_syntax">Fetch directive syntax</a></li><li class="document-toc-item "><a class="document-toc-link" href="#csp_in_workers">CSP in workers</a></li><li class="document-toc-item "><a class="document-toc-link" href="#multiple_content_security_policies">Multiple content security policies</a></li><li class="document-toc-item "><a class="document-toc-link" href="#examples">Examples</a></li><li class="document-toc-item "><a class="document-toc-link" href="#specifications">Specifications</a></li><li class="document-toc-item "><a class="document-toc-link" href="#browser_compatibility">Browser compatibility</a></li><li class="document-toc-item "><a class="document-toc-link" href="#see_also">See also</a></li></ul></section></div></div><div class="sidebar-body"> <ol> <li class="section"><a href="/en-US/docs/Web/HTTP">HTTP</a></li> <li class="section no-link">Guides</li> <li><a href="/en-US/docs/Web/HTTP/Overview">An overview of HTTP</a></li> <li><a href="/en-US/docs/Web/HTTP/Session">A typical HTTP session</a></li> <li><a href="/en-US/docs/Web/HTTP/Messages">HTTP messages</a></li> <li><a href="/en-US/docs/Web/HTTP/MIME_types">MIME types (IANA media types)</a></li> <li><a href="/en-US/docs/Web/HTTP/Compression">Compression in HTTP</a></li> <li><a href="/en-US/docs/Web/HTTP/Caching">HTTP caching</a></li> <li><a href="/en-US/docs/Web/HTTP/Authentication">HTTP authentication</a></li> <li><a href="/en-US/docs/Web/HTTP/Cookies">Using HTTP cookies</a></li> <li><a href="/en-US/docs/Web/HTTP/Redirections">Redirections in HTTP</a></li> <li><a href="/en-US/docs/Web/HTTP/Conditional_requests">HTTP conditional requests</a></li> <li><a href="/en-US/docs/Web/HTTP/Range_requests">HTTP range requests</a></li> <li><a href="/en-US/docs/Web/HTTP/Content_negotiation">Content negotiation</a></li> <li><a href="/en-US/docs/Web/HTTP/Connection_management_in_HTTP_1.x">Connection management in HTTP/1.x</a></li> <li><a href="/en-US/docs/Web/HTTP/Evolution_of_HTTP">Evolution of HTTP</a></li> <li><a href="/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism">Protocol upgrade mechanism</a></li> <li><a href="/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling">Proxy servers and tunneling</a></li> <li><a href="/en-US/docs/Web/HTTP/Client_hints">HTTP Client hints</a></li> <li class="toggle"> <details> <summary>Security and privacy</summary> <ol> <li><a href="/en-US/docs/Web/Security/Practical_implementation_guides">Practical security implementation guides</a></li> <li><a href="/en-US/observatory">HTTP Observatory</a></li> <li><a href="/en-US/docs/Web/HTTP/Permissions_Policy">Permissions Policy</a></li> <li><a href="/en-US/docs/Web/HTTP/CSP">Content Security Policy (CSP)</a></li> <li><a href="/en-US/docs/Web/HTTP/CORS">Cross-Origin Resource Sharing (CORS)</a></li> <li><a href="/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy">Cross-Origin Resource Policy (CORP)</a></li> <li><a href="/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security">Strict-Transport-Security</a></li> </ol> </details> </li> <li class="section no-link">References</li> <li class="toggle"> <details open=""> <summary>HTTP headers</summary> <ol><li><a href="/en-US/docs/Web/HTTP/Headers/Accept"><code>Accept</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-CH"><code>Accept-CH</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Encoding"><code>Accept-Encoding</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Language"><code>Accept-Language</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Patch"><code>Accept-Patch</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Post"><code>Accept-Post</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Ranges"><code>Accept-Ranges</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials"><code>Access-Control-Allow-Credentials</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers"><code>Access-Control-Allow-Headers</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods"><code>Access-Control-Allow-Methods</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin"><code>Access-Control-Allow-Origin</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers"><code>Access-Control-Expose-Headers</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age"><code>Access-Control-Max-Age</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers"><code>Access-Control-Request-Headers</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method"><code>Access-Control-Request-Method</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Age"><code>Age</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Allow"><code>Allow</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Alt-Svc"><code>Alt-Svc</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Alt-Used"><code>Alt-Used</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Eligible"><code>Attribution-Reporting-Eligible</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Source"><code>Attribution-Reporting-Register-Source</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Trigger"><code>Attribution-Reporting-Register-Trigger</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Authorization"><code>Authorization</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cache-Control"><code>Cache-Control</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Clear-Site-Data"><code>Clear-Site-Data</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Connection"><code>Connection</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Digest"><code>Content-Digest</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Disposition"><code>Content-Disposition</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-DPR"><code>Content-DPR</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Encoding"><code>Content-Encoding</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Language"><code>Content-Language</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Length"><code>Content-Length</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Location"><code>Content-Location</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Range"><code>Content-Range</code></a></li><li><em><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" aria-current="page"><code>Content-Security-Policy</code></a></em></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only"><code>Content-Security-Policy-Report-Only</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Type"><code>Content-Type</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cookie"><code>Cookie</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Critical-CH"><code>Critical-CH</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy"><code>Cross-Origin-Embedder-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy"><code>Cross-Origin-Opener-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy"><code>Cross-Origin-Resource-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Date"><code>Date</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Device-Memory"><code>Device-Memory</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Digest"><code>Digest</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/DNT"><code>DNT</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Downlink"><code>Downlink</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/DPR"><code>DPR</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Early-Data"><code>Early-Data</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/ECT"><code>ECT</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/ETag"><code>ETag</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Expect"><code>Expect</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Expect-CT"><code>Expect-CT</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Expires"><code>Expires</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Forwarded"><code>Forwarded</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/From"><code>From</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Host"><code>Host</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-Match"><code>If-Match</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-Modified-Since"><code>If-Modified-Since</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-None-Match"><code>If-None-Match</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-Range"><code>If-Range</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since"><code>If-Unmodified-Since</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Keep-Alive"><code>Keep-Alive</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Last-Modified"><code>Last-Modified</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Link"><code>Link</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Location"><code>Location</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Max-Forwards"><code>Max-Forwards</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/NEL"><code>NEL</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/No-Vary-Search"><code>No-Vary-Search</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Observe-Browsing-Topics"><code>Observe-Browsing-Topics</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Origin"><code>Origin</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Origin-Agent-Cluster"><code>Origin-Agent-Cluster</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy"><code>Permissions-Policy</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Pragma"><code>Pragma</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Priority"><code>Priority</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Proxy-Authenticate"><code>Proxy-Authenticate</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Proxy-Authorization"><code>Proxy-Authorization</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Range"><code>Range</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Referer"><code>Referer</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Referrer-Policy"><code>Referrer-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Refresh"><code>Refresh</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Report-To"><code>Report-To</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints"><code>Reporting-Endpoints</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Repr-Digest"><code>Repr-Digest</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Retry-After"><code>Retry-After</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/RTT"><code>RTT</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Save-Data"><code>Save-Data</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Browsing-Topics"><code>Sec-Browsing-Topics</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Color-Scheme"><code>Sec-CH-Prefers-Color-Scheme</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Motion"><code>Sec-CH-Prefers-Reduced-Motion</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Transparency"><code>Sec-CH-Prefers-Reduced-Transparency</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA"><code>Sec-CH-UA</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Arch"><code>Sec-CH-UA-Arch</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Bitness"><code>Sec-CH-UA-Bitness</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version"><code>Sec-CH-UA-Full-Version</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version-List"><code>Sec-CH-UA-Full-Version-List</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Mobile"><code>Sec-CH-UA-Mobile</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Model"><code>Sec-CH-UA-Model</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform"><code>Sec-CH-UA-Platform</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform-Version"><code>Sec-CH-UA-Platform-Version</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest"><code>Sec-Fetch-Dest</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode"><code>Sec-Fetch-Mode</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site"><code>Sec-Fetch-Site</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User"><code>Sec-Fetch-User</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-GPC"><code>Sec-GPC</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Purpose"><code>Sec-Purpose</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Accept"><code>Sec-WebSocket-Accept</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Extensions"><code>Sec-WebSocket-Extensions</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Key"><code>Sec-WebSocket-Key</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Protocol"><code>Sec-WebSocket-Protocol</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Version"><code>Sec-WebSocket-Version</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Server"><code>Server</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Server-Timing"><code>Server-Timing</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Service-Worker-Navigation-Preload"><code>Service-Worker-Navigation-Preload</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Set-Cookie"><code>Set-Cookie</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Set-Login"><code>Set-Login</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/SourceMap"><code>SourceMap</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Speculation-Rules"><code>Speculation-Rules</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security"><code>Strict-Transport-Security</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Supports-Loading-Mode"><code>Supports-Loading-Mode</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/TE"><code>TE</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin"><code>Timing-Allow-Origin</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Tk"><code>Tk</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Trailer"><code>Trailer</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Transfer-Encoding"><code>Transfer-Encoding</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Upgrade"><code>Upgrade</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests"><code>Upgrade-Insecure-Requests</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/User-Agent"><code>User-Agent</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Vary"><code>Vary</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Via"><code>Via</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Viewport-Width"><code>Viewport-Width</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Want-Content-Digest"><code>Want-Content-Digest</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Want-Digest"><code>Want-Digest</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Want-Repr-Digest"><code>Want-Repr-Digest</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Warning"><code>Warning</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Width"><code>Width</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/WWW-Authenticate"><code>WWW-Authenticate</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options"><code>X-Content-Type-Options</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control"><code>X-DNS-Prefetch-Control</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Forwarded-For"><code>X-Forwarded-For</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host"><code>X-Forwarded-Host</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto"><code>X-Forwarded-Proto</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Frame-Options"><code>X-Frame-Options</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-XSS-Protection"><code>X-XSS-Protection</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li></ol> </details> </li> <li class="toggle"> <details> <summary>HTTP request methods</summary> <ol><li><a href="/en-US/docs/Web/HTTP/Methods/CONNECT"><code>CONNECT</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/DELETE"><code>DELETE</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/GET"><code>GET</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/HEAD"><code>HEAD</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/OPTIONS"><code>OPTIONS</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/PATCH"><code>PATCH</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/POST"><code>POST</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/PUT"><code>PUT</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/TRACE"><code>TRACE</code></a></li></ol> </details> </li> <li class="toggle"> <details> <summary>HTTP response status codes</summary> <ol><li><a href="/en-US/docs/Web/HTTP/Status/100"><code>100 Continue</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/101"><code>101 Switching Protocols</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/102"><code>102 Processing</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/103"><code>103 Early Hints</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/200"><code>200 OK</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/201"><code>201 Created</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/202"><code>202 Accepted</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/203"><code>203 Non-Authoritative Information</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/204"><code>204 No Content</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/205"><code>205 Reset Content</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/206"><code>206 Partial Content</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/207"><code>207 Multi-Status</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/208"><code>208 Already Reported</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/226"><code>226 IM Used</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/300"><code>300 Multiple Choices</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/301"><code>301 Moved Permanently</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/302"><code>302 Found</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/303"><code>303 See Other</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/304"><code>304 Not Modified</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/307"><code>307 Temporary Redirect</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/308"><code>308 Permanent Redirect</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/400"><code>400 Bad Request</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/401"><code>401 Unauthorized</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/402"><code>402 Payment Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/403"><code>403 Forbidden</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/404"><code>404 Not Found</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/405"><code>405 Method Not Allowed</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/406"><code>406 Not Acceptable</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/407"><code>407 Proxy Authentication Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/408"><code>408 Request Timeout</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/409"><code>409 Conflict</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/410"><code>410 Gone</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/411"><code>411 Length Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/412"><code>412 Precondition Failed</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/413"><code>413 Content Too Large</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/414"><code>414 URI Too Long</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/415"><code>415 Unsupported Media Type</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/416"><code>416 Range Not Satisfiable</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/417"><code>417 Expectation Failed</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/418"><code>418 I'm a teapot</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/421"><code>421 Misdirected Request</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/422"><code>422 Unprocessable Content</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/423"><code>423 Locked</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/424"><code>424 Failed Dependency</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/425"><code>425 Too Early</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/426"><code>426 Upgrade Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/428"><code>428 Precondition Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/429"><code>429 Too Many Requests</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/431"><code>431 Request Header Fields Too Large</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/451"><code>451 Unavailable For Legal Reasons</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/500"><code>500 Internal Server Error</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/501"><code>501 Not Implemented</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/502"><code>502 Bad Gateway</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/503"><code>503 Service Unavailable</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/504"><code>504 Gateway Timeout</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/505"><code>505 HTTP Version Not Supported</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/506"><code>506 Variant Also Negotiates</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/507"><code>507 Insufficient Storage</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/508"><code>508 Loop Detected</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/510"><code>510 Not Extended</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/511"><code>511 Network Authentication Required</code></a></li></ol> </details> </li> <li class="toggle"> <details open=""> <summary>CSP directives</summary> <ol><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri"><code>CSP: base-uri</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content"><code>CSP: block-all-mixed-content</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src"><code>CSP: child-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src"><code>CSP: connect-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src"><code>CSP: default-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/fenced-frame-src"><code>CSP: fenced-frame-src</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src"><code>CSP: font-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action"><code>CSP: form-action</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors"><code>CSP: frame-ancestors</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src"><code>CSP: frame-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src"><code>CSP: img-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src"><code>CSP: manifest-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src"><code>CSP: media-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src"><code>CSP: object-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src"><code>CSP: prefetch-src</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to"><code>CSP: report-to</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri"><code>CSP: report-uri</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for"><code>CSP: require-trusted-types-for</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox"><code>CSP: sandbox</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src"><code>CSP: script-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr"><code>CSP: script-src-attr</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem"><code>CSP: script-src-elem</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src"><code>CSP: style-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr"><code>CSP: style-src-attr</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem"><code>CSP: style-src-elem</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types"><code>CSP: trusted-types</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests"><code>CSP: upgrade-insecure-requests</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src"><code>CSP: worker-src</code></a></li></ol> </details> </li> <li class="toggle"> <details> <summary>CORS errors</summary> <ol><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSDisabled">Reason: CORS disabled</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSAllowOriginNotMatchingOrigin">Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowOrigin">Reason: CORS header 'Access-Control-Allow-Origin' missing</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSOriginHeaderNotAdded">Reason: CORS header 'Origin' cannot be added</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSPreflightDidNotSucceed">Reason: CORS preflight channel did not succeed</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed">Reason: CORS request did not succeed</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSExternalRedirectNotAllowed">Reason: CORS request external redirect not allowed</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSRequestNotHttp">Reason: CORS request not HTTP</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials">Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMethodNotFound">Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMIssingAllowCredentials">Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowHeader">Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowMethod">Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Methods'</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowHeaderFromPreflight">Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMultipleAllowOriginNotAllowed">Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed</a></li></ol> </details> </li> <li class="toggle"> <details> <summary>Permissions-Policy directives</summary> <ol><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/accelerometer">Permissions-Policy: accelerometer</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/ambient-light-sensor">Permissions-Policy: ambient-light-sensor</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/attribution-reporting">Permissions-Policy: attribution-reporting</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/autoplay">Permissions-Policy: autoplay</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/bluetooth">Permissions-Policy: bluetooth</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/browsing-topics">Permissions-Policy: browsing-topics</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/camera">Permissions-Policy: camera</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/compute-pressure">Permissions-Policy: compute-pressure</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/display-capture">Permissions-Policy: display-capture</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/document-domain">Permissions-Policy: document-domain</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/encrypted-media">Permissions-Policy: encrypted-media</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/fullscreen">Permissions-Policy: fullscreen</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gamepad">Permissions-Policy: gamepad</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/geolocation">Permissions-Policy: geolocation</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gyroscope">Permissions-Policy: gyroscope</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/hid">Permissions-Policy: hid</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/identity-credentials-get">Permissions-Policy: identity-credentials-get</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/idle-detection">Permissions-Policy: idle-detection</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/local-fonts">Permissions-Policy: local-fonts</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/magnetometer">Permissions-Policy: magnetometer</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/microphone">Permissions-Policy: microphone</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/midi">Permissions-Policy: midi</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/otp-credentials">Permissions-Policy: otp-credentials</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/payment">Permissions-Policy: payment</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/picture-in-picture">Permissions-Policy: picture-in-picture</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create">Permissions-Policy: publickey-credentials-create</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get">Permissions-Policy: publickey-credentials-get</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/screen-wake-lock">Permissions-Policy: screen-wake-lock</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/serial">Permissions-Policy: serial</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/speaker-selection">Permissions-Policy: speaker-selection</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/storage-access">Permissions-Policy: storage-access</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/usb">Permissions-Policy: usb</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share">Permissions-Policy: web-share</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/window-management">Permissions-Policy: window-management</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking">Permissions-Policy: xr-spatial-tracking</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li></ol> </details> </li> <li><a href="/en-US/docs/Web/HTTP/Resources_and_specifications">HTTP resources and specifications</a></li> </ol> </div></div><section class="place side"></section></nav></aside><div class="toc-container"><aside class="toc"><nav><div class="document-toc-container"><section class="document-toc"><header><h2 class="document-toc-heading">In this article</h2></header><ul class="document-toc-list"><li class="document-toc-item "><a class="document-toc-link" href="#syntax">Syntax</a></li><li class="document-toc-item "><a class="document-toc-link" href="#directives">Directives</a></li><li class="document-toc-item "><a class="document-toc-link" href="#fetch_directive_syntax">Fetch directive syntax</a></li><li class="document-toc-item "><a class="document-toc-link" href="#csp_in_workers">CSP in workers</a></li><li class="document-toc-item "><a class="document-toc-link" href="#multiple_content_security_policies">Multiple content security policies</a></li><li class="document-toc-item "><a class="document-toc-link" href="#examples">Examples</a></li><li class="document-toc-item "><a class="document-toc-link" href="#specifications">Specifications</a></li><li class="document-toc-item "><a class="document-toc-link" href="#browser_compatibility">Browser compatibility</a></li><li class="document-toc-item "><a class="document-toc-link" href="#see_also">See also</a></li></ul></section></div></nav></aside><section class="place side"></section></div></div><main id="content" class="main-content "><article class="main-page-content" lang="en-US"><header><h1>Content-Security-Policy</h1><details class="baseline-indicator high"><summary><span class="indicator" role="img" aria-label="Baseline Check"></span><h2>Baseline<!-- --> <span class="not-bold">Widely available</span></h2><div class="browsers"><span class="engine" title="Supported in Chrome and Edge"><span class="browser chrome supported" role="img" aria-label="Chrome check"></span><span class="browser edge supported" role="img" aria-label="Edge check"></span></span><span class="engine" title="Supported in Firefox"><span class="browser firefox supported" role="img" aria-label="Firefox check"></span></span><span class="engine" title="Supported in Safari"><span class="browser safari supported" role="img" aria-label="Safari check"></span></span></div><span class="icon icon-chevron "></span></summary><div class="extra"><p>This feature is well established and works across many devices and browser versions. It’s been available across browsers since<!-- --> <!-- -->August 2016<!-- -->.</p><ul><li><a href="/en-US/docs/Glossary/Baseline/Compatibility" data-glean="baseline_link_learn_more" target="_blank" class="learn-more">Learn more</a></li><li><a href="#browser_compatibility" data-glean="baseline_link_bcd_table">See full compatibility</a></li><li><a href="https://survey.alchemer.com/s3/7634825/MDN-baseline-feedback?page=%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FContent-Security-Policy&amp;level=high" data-glean="baseline_link_feedback" class="feedback-link" target="_blank" rel="noreferrer">Report feedback</a></li></ul></div></details></header><div class="section-content"><p> The HTTP <strong><code>Content-Security-Policy</code></strong> response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against <a href="/en-US/docs/Glossary/Cross-site_scripting">cross-site scripting</a> attacks. </p> <p>For more information, see the introductory article on <a href="/en-US/docs/Web/HTTP/CSP">Content Security Policy (CSP)</a>.</p> <figure class="table-container"><table class="properties"> <tbody> <tr> <th scope="row">Header type</th> <td><a href="/en-US/docs/Glossary/Response_header">Response header</a></td> </tr> <tr> <th scope="row"><a href="/en-US/docs/Glossary/Forbidden_header_name">Forbidden header name</a></th> <td>no</td> </tr> </tbody> </table></figure></div><section aria-labelledby="syntax"><h2 id="syntax"><a href="#syntax">Syntax</a></h2><div class="section-content"><div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Content-Security-Policy: &lt;policy-directive&gt;; &lt;policy-directive&gt; </code></pre></div> <p> where <code>&lt;policy-directive&gt;</code> consists of: <code>&lt;directive&gt; &lt;value&gt;</code> with no internal punctuation. </p></div></section><section aria-labelledby="directives"><h2 id="directives"><a href="#directives">Directives</a></h2><div class="section-content"></div></section><section aria-labelledby="fetch_directives"><h3 id="fetch_directives"><a href="#fetch_directives">Fetch directives</a></h3><div class="section-content"><p>Fetch directives control the locations from which certain resource types may be loaded.</p> <dl> <dt id="child-src"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src"><code>child-src</code></a></dt> <dd> <p> Defines the valid sources for <a href="/en-US/docs/Web/API/Web_Workers_API">web workers</a> and nested browsing contexts loaded using elements such as <a href="/en-US/docs/Web/HTML/Element/frame"><code>&lt;frame&gt;</code></a> and <a href="/en-US/docs/Web/HTML/Element/iframe"><code>&lt;iframe&gt;</code></a>. </p> <p><a href="#fallbacks">Fallback</a> for <code>frame-src</code> and <code>worker-src</code>.</p> </dd> <dt id="connect-src"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src"><code>connect-src</code></a></dt> <dd> <p>Restricts the URLs which can be loaded using script interfaces.</p> </dd> <dt id="default-src"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src"><code>default-src</code></a></dt> <dd> <p>Serves as a fallback for the other <a href="/en-US/docs/Glossary/Fetch_directive">fetch directives</a>.</p> <p><a href="#fallbacks">Fallback</a> for all other fetch directives.</p> </dd> <dt id="fenced-frame-src"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/fenced-frame-src"><code>fenced-frame-src</code></a> <abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></dt> <dd> <p>Specifies valid sources for nested browsing contexts loaded into <a href="/en-US/docs/Web/HTML/Element/fencedframe"><code>&lt;fencedframe&gt;</code></a> elements.</p> </dd> <dt id="font-src"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src"><code>font-src</code></a></dt> <dd> <p>Specifies valid sources for fonts loaded using <a href="/en-US/docs/Web/CSS/@font-face"><code>@font-face</code></a>.</p> </dd> <dt id="frame-src"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src"><code>frame-src</code></a></dt> <dd> <p> Specifies valid sources for nested browsing contexts loaded into elements such as <a href="/en-US/docs/Web/HTML/Element/frame"><code>&lt;frame&gt;</code></a> and <a href="/en-US/docs/Web/HTML/Element/iframe"><code>&lt;iframe&gt;</code></a>. </p> </dd> <dt id="img-src"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src"><code>img-src</code></a></dt> <dd> <p>Specifies valid sources of images and favicons.</p> </dd> <dt id="manifest-src"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src"><code>manifest-src</code></a></dt> <dd> <p>Specifies valid sources of application manifest files.</p> </dd> <dt id="media-src"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src"><code>media-src</code></a></dt> <dd> <p> Specifies valid sources for loading media using the <a href="/en-US/docs/Web/HTML/Element/audio"><code>&lt;audio&gt;</code></a>, <a href="/en-US/docs/Web/HTML/Element/video"><code>&lt;video&gt;</code></a> and <a href="/en-US/docs/Web/HTML/Element/track"><code>&lt;track&gt;</code></a> elements. </p> </dd> <dt id="object-src"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src"><code>object-src</code></a></dt> <dd> <p>Specifies valid sources for the <a href="/en-US/docs/Web/HTML/Element/object"><code>&lt;object&gt;</code></a> and <a href="/en-US/docs/Web/HTML/Element/embed"><code>&lt;embed&gt;</code></a> elements.</p> </dd> <dt id="prefetch-src"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src"><code>prefetch-src</code></a> <abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr> <abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></dt> <dd> <p>Specifies valid sources to be prefetched or prerendered.</p> </dd> <dt id="script-src"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src"><code>script-src</code></a></dt> <dd> <p>Specifies valid sources for JavaScript and WebAssembly resources.</p> <p><a href="#fallbacks">Fallback</a> for <code>script-src-elem</code> and <code>script-src-attr</code>.</p> </dd> <dt id="script-src-elem"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem"><code>script-src-elem</code></a></dt> <dd> <p>Specifies valid sources for JavaScript <a href="/en-US/docs/Web/HTML/Element/script"><code>&lt;script&gt;</code></a> elements.</p> </dd> <dt id="script-src-attr"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr"><code>script-src-attr</code></a></dt> <dd> <p>Specifies valid sources for JavaScript inline event handlers.</p> </dd> <dt id="style-src"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src"><code>style-src</code></a></dt> <dd> <p>Specifies valid sources for stylesheets.</p> <p><a href="#fallbacks">Fallback</a> for <code>style-src-elem</code> and <code>style-src-attr</code>.</p> </dd> <dt id="style-src-elem"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem"><code>style-src-elem</code></a></dt> <dd> <p> Specifies valid sources for stylesheets <a href="/en-US/docs/Web/HTML/Element/style"><code>&lt;style&gt;</code></a> elements and <a href="/en-US/docs/Web/HTML/Element/link"><code>&lt;link&gt;</code></a> elements with <code>rel="stylesheet"</code>. </p> </dd> <dt id="style-src-attr"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr"><code>style-src-attr</code></a></dt> <dd> <p>Specifies valid sources for inline styles applied to individual DOM elements.</p> </dd> <dt id="worker-src"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src"><code>worker-src</code></a></dt> <dd> <p> Specifies valid sources for <a href="/en-US/docs/Web/API/Worker"><code>Worker</code></a>, <a href="/en-US/docs/Web/API/SharedWorker"><code>SharedWorker</code></a>, or <a href="/en-US/docs/Web/API/ServiceWorker"><code>ServiceWorker</code></a> scripts. </p> </dd> </dl> <p>All fetch directives may be specified the single value <code>'none'</code>, indicating that the specific resource type should be completely blocked, or as one or more <em>source expression</em> values, indicating valid sources for that resource type. See <a href="#fetch_directive_syntax">Fetch directive syntax</a> for more details.</p> <h4 id="fallbacks">Fallbacks</h4> <p>Some fetch directives function as fallbacks for other more granular directives. This means that if the more granular directive is not specified, then the fallback is used to provide a policy for that resource type.</p> <ul> <li><code>default-src</code> is a fallback for all other fetch directives.</li> <li><code>script-src</code> is a fallback for <code>script-src-attr</code> and <code>script-src-elem</code>.</li> <li><code>style-src</code> is a fallback for <code>style-src-attr</code> and <code>style-src-elem</code>.</li> <li><code>child-src</code> is a fallback for <code>frame-src</code> and <code>worker-src</code>.</li> </ul> <p>For example:</p> <ul> <li>If <code>img-src</code> is omitted but <code>default-src</code> is included, then the policy defined by <code>default-src</code> will be applied to images.</li> <li>If <code>script-src-elem</code> is omitted but <code>script-src</code> is included, then the policy defined by <code>script-src</code> will be applied to <code>&lt;script&gt;</code> elements.</li> <li>If <code>script-src-elem</code> and <code>script-src</code> are both omitted, but <code>default-src</code> is included, then the policy defined by <code>default-src</code> will be applied to <code>&lt;script&gt;</code> elements.</li> </ul></div></section><section aria-labelledby="document_directives"><h3 id="document_directives"><a href="#document_directives">Document directives</a></h3><div class="section-content"><p> Document directives govern the properties of a document or <a href="/en-US/docs/Web/API/Web_Workers_API">worker</a> environment to which a policy applies. </p> <dl> <dt id="base-uri"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri"><code>base-uri</code></a></dt> <dd> <p> Restricts the URLs which can be used in a document's <a href="/en-US/docs/Web/HTML/Element/base"><code>&lt;base&gt;</code></a> element. </p> </dd> <dt id="sandbox"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox"><code>sandbox</code></a></dt> <dd> <p> Enables a sandbox for the requested resource similar to the <a href="/en-US/docs/Web/HTML/Element/iframe"><code>&lt;iframe&gt;</code></a> <a href="/en-US/docs/Web/HTML/Element/iframe#sandbox"><code>sandbox</code></a> attribute. </p> </dd> </dl></div></section><section aria-labelledby="navigation_directives"><h3 id="navigation_directives"><a href="#navigation_directives">Navigation directives</a></h3><div class="section-content"><p> Navigation directives govern to which locations a user can navigate or submit a form, for example. </p> <dl> <dt id="form-action"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action"><code>form-action</code></a></dt> <dd> <p> Restricts the URLs which can be used as the target of a form submissions from a given context. </p> </dd> <dt id="frame-ancestors"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors"><code>frame-ancestors</code></a></dt> <dd> <p> Specifies valid parents that may embed a page using <a href="/en-US/docs/Web/HTML/Element/frame"><code>&lt;frame&gt;</code></a>, <a href="/en-US/docs/Web/HTML/Element/iframe"><code>&lt;iframe&gt;</code></a>, <a href="/en-US/docs/Web/HTML/Element/object"><code>&lt;object&gt;</code></a>, or <a href="/en-US/docs/Web/HTML/Element/embed"><code>&lt;embed&gt;</code></a>. </p> </dd> </dl></div></section><section aria-labelledby="reporting_directives"><h3 id="reporting_directives"><a href="#reporting_directives">Reporting directives</a></h3><div class="section-content"><p>Reporting directives control the destination URL for CSP violation reports in <code>Content-Security-Policy</code> and <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only"><code>Content-Security-Policy-Report-Only</code></a>.</p> <dl> <dt id="report-to"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to"><code>report-to</code></a></dt> <dd> <p> Provides the browser with a token identifying the reporting endpoint or group of endpoints to send CSP violation information to. The endpoints that the token represents are provided through other HTTP headers, such as <a href="/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints"><code>Reporting-Endpoints</code></a> and <a href="/en-US/docs/Web/HTTP/Headers/Report-To"><code>Report-To</code></a> <abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr>. </p> <div class="notecard warning"> <p> <strong>Warning:</strong> This directive is intended to replace <a href="#report-uri"><code>report-uri</code></a>; in browsers that support <code>report-to</code>, the <code>report-uri</code> directive is ignored. However until <code>report-to</code> is broadly supported you should specify both headers as shown (where <code>endpoint_name</code> is the name of a separately provided endpoint): </p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Content-Security-Policy: …; report-uri https://endpoint.example.com; report-to endpoint_name </code></pre></div> </div> </dd> </dl></div></section><section aria-labelledby="other_directives"><h3 id="other_directives"><a href="#other_directives">Other directives</a></h3><div class="section-content"><dl> <dt id="require-trusted-types-for"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for"><code>require-trusted-types-for</code></a> <abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></dt> <dd> <p>Enforces <a href="/en-US/docs/Web/API/Trusted_Types_API">Trusted Types</a> at the DOM XSS injection sinks.</p> </dd> <dt id="trusted-types"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types"><code>trusted-types</code></a> <abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></dt> <dd> <p> Used to specify an allowlist of <a href="/en-US/docs/Web/API/Trusted_Types_API">Trusted Types</a> policies. Trusted Types allows applications to lock down DOM XSS injection sinks to only accept non-spoofable, typed values in place of strings. </p> </dd> <dt id="upgrade-insecure-requests"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests"><code>upgrade-insecure-requests</code></a></dt> <dd> <p> Instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for websites with large numbers of insecure legacy URLs that need to be rewritten. </p> </dd> </dl></div></section><section aria-labelledby="deprecated_directives"><h3 id="deprecated_directives"><a href="#deprecated_directives">Deprecated directives</a></h3><div class="section-content"><dl> <dt id="block-all-mixed-content"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content"><code>block-all-mixed-content</code></a> <abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></dt> <dd> <p>Prevents loading any assets using HTTP when the page is loaded using HTTPS.</p> </dd> <dt id="report-uri"><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri"><code>report-uri</code></a> <abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></dt> <dd> <p> Provides the browser with a URL where CSP violation reports should be sent. This has been superseded by the <a href="#report-to"><code>report-to</code></a> directive. </p> </dd> </dl></div></section><section aria-labelledby="fetch_directive_syntax"><h2 id="fetch_directive_syntax"><a href="#fetch_directive_syntax">Fetch directive syntax</a></h2><div class="section-content"><p>All fetch directives may be specified as one of the following:</p> <ul> <li>the single value <code>'none'</code>, indicating that the specific resource type should be completely blocked</li> <li>one or more <em>source expression</em> values, indicating valid sources for that resource type.</li> </ul> <p>Each source expression takes one of the forms listed below. Note that not all forms are applicable to all fetch directives: see the documentation for each fetch directive to find out which forms are applicable to it.</p> <p>The <code>&lt;host-source&gt;</code> and <code>&lt;scheme-source&gt;</code> formats must be unquoted, and all other formats must be enclosed in single quotes.</p></div></section><section aria-labelledby="nonce-nonce_value"><h3 id="nonce-nonce_value"><a href="#nonce-nonce_value">'nonce-&lt;nonce_value&gt;'</a></h3><div class="section-content"><p>This value consists of the string <code>nonce-</code> followed by a <a href="/en-US/docs/Glossary/Base64">base64-encoded</a> string. This string is a random value that the server generates for every HTTP response. For example:</p> <pre class="brush: plain notranslate">'nonce-416d1177-4d12-4e3b-b7c9-f6c409789fb8' </pre> <p>The server can then include the same value as the value of the <code>nonce</code> attribute of any <a href="/en-US/docs/Web/HTML/Element/script"><code>&lt;script&gt;</code></a> or <a href="/en-US/docs/Web/HTML/Element/style"><code>&lt;style&gt;</code></a> resources that they intend to load from the document.</p> <p>The browser compares the value from the CSP directive against the value in the element attribute, and loads the resource only if they match.</p> <p>If a directive contains a nonce and <code>unsafe-inline</code>, then the browser ignores <code>unsafe-inline</code>.</p> <p>See <a href="/en-US/docs/Web/HTTP/CSP#nonces">Nonces</a> in the CSP guide for more usage information.</p> <div class="notecard note"> <p><strong>Note:</strong> Nonce source expressions are only applicable to <a href="/en-US/docs/Web/HTML/Element/script"><code>&lt;script&gt;</code></a> and <a href="/en-US/docs/Web/HTML/Element/style"><code>&lt;style&gt;</code></a> elements.</p> </div></div></section><section aria-labelledby="hash_algorithm-hash_value"><h3 id="hash_algorithm-hash_value"><a href="#hash_algorithm-hash_value">'&lt;hash_algorithm&gt;-&lt;hash_value&gt;'</a></h3><div class="section-content"><p>This value consists of a string identifying a hash algorithm, followed by <code>-</code>, followed by a <a href="/en-US/docs/Glossary/Base64">base64-encoded</a> string representing the hash value.</p> <ul> <li>The hash algorithm identifier must be one of <code>sha256</code>, <code>sha384</code>, or <code>sha512</code>.</li> <li>The hash value is the base64-encoded <a href="/en-US/docs/Glossary/Cryptographic_hash_function">hash</a> of a <code>&lt;script&gt;</code> or <code>&lt;style&gt;</code> resource, calculated using one of the following hash functions: SHA-256, SHA-384, or SHA-512.</li> </ul> <p>For example:</p> <pre class="brush: plain notranslate">'sha256-cd9827ad...' </pre> <p>When the browser receives the document, it hashes the contents of any <code>&lt;script&gt;</code> and <code>&lt;style&gt;</code> elements, compares the result with any hashes in the CSP directive, and loads the resource only if there is a match.</p> <p>If the element loads an external resource (for example, using the <a href="/en-US/docs/Web/HTML/Element/script#src"><code>src</code></a> attribute), then the element must also have the <a href="/en-US/docs/Web/HTML/Element/script#integrity"><code>integrity</code></a> attribute set.</p> <p>If a directive contains a hash and <code>unsafe-inline</code>, then the browser ignores <code>unsafe-inline</code>.</p> <p>See <a href="/en-US/docs/Web/HTTP/CSP#hashes">Hashes</a> in the CSP guide for more usage information.</p> <div class="notecard note"> <p><strong>Note:</strong> Hash source expressions are only applicable to <a href="/en-US/docs/Web/HTML/Element/script"><code>&lt;script&gt;</code></a> and <a href="/en-US/docs/Web/HTML/Element/style"><code>&lt;style&gt;</code></a> elements.</p> </div></div></section><section aria-labelledby="host-source"><h3 id="host-source"><a href="#host-source">&lt;host-source&gt;</a></h3><div class="section-content"><p>The <a href="/en-US/docs/Web/URI">URL</a> or IP address of a <a href="/en-US/docs/Glossary/Host">host</a> that is a valid source for the resource.</p> <p>The scheme, port number, and path are optional.</p> <p>If the scheme is omitted, the scheme of the document's origin is used.</p> <p>When matching schemes, secure upgrades are allowed. For example:</p> <ul> <li><code>http://example.com</code> will also permit resources from <code>https://example.com</code></li> <li><code>ws://example.org</code> will also permit resources from <code>wss://example.org</code>.</li> </ul> <p>Wildcards (<code>'*'</code>) can be used for subdomains, host address, and port number, indicating that all legal values of each are valid. For example:</p> <ul> <li><code>http://*.example.com</code> permits resources from any subdomain of <code>example.com</code>, over HTTP or HTTPS.</li> </ul> <p>Paths that end in <code>/</code> match any path they are a prefix of. For example:</p> <ul> <li><code>example.com/api/</code> will permit resources from <code>example.com/api/users/new</code>.</li> </ul> <p>Paths that do not end in <code>/</code> are matched exactly. For example:</p> <ul> <li><code>https://example.com/file.js</code> permits resources from <code>https://example.com/file.js</code> but not <code>https://example.com/file.js/file2.js</code>.</li> </ul></div></section><section aria-labelledby="scheme-source"><h3 id="scheme-source"><a href="#scheme-source">&lt;scheme-source&gt;</a></h3><div class="section-content"><p>A <a href="/en-US/docs/Web/URI/Schemes">scheme</a>, such as <code>https:</code>. The colon is required.</p> <p>Secure upgrades are allowed, so:</p> <ul> <li><code>http:</code> will also permit resources loaded using HTTPS</li> <li><code>ws:</code> will also permit resources loaded using WSS.</li> </ul></div></section><section aria-labelledby="self"><h3 id="self"><a href="#self">'self'</a></h3><div class="section-content"><p>Resources of the given type may only be loaded from the same <a href="/en-US/docs/Glossary/Origin">origin</a> as the document.</p> <p>Secure upgrades are allowed. For example:</p> <ul> <li>If the document is served from <code>http://example.com</code>, then a CSP of <code>'self'</code> will also permit resources from <code>https://example.com</code>.</li> <li>If the document is served from <code>ws://example.org</code>, then a CSP of <code>'self'</code> will also permit resources from <code>wss://example.org</code>.</li> </ul></div></section><section aria-labelledby="unsafe-eval"><h3 id="unsafe-eval"><a href="#unsafe-eval">'unsafe-eval'</a></h3><div class="section-content"><p>By default, if a CSP contains a <code>default-src</code> or a <code>script-src</code> directive, then JavaScript functions which evaluate their arguments as JavaScript are disabled. This includes <a href="/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval"><code>eval()</code></a>, the <a href="/en-US/docs/Web/API/Window/setTimeout#code"><code>code</code></a> argument to <a href="/en-US/docs/Web/API/Window/setTimeout" title="setTimeout()"><code>setTimeout()</code></a>, or the <a href="/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function"><code>Function()</code></a> constructor.</p> <p>The <code>unsafe-eval</code> keyword can be used to undo this protection, allowing dynamic evaluation of strings as JavaScript.</p> <div class="notecard warning"> <p><strong>Warning:</strong> Developers should avoid <code>'unsafe-eval'</code>, because it defeats much of the purpose of having a CSP.</p> </div> <p>See <a href="/en-US/docs/Web/HTTP/CSP#eval_and_similar_apis"><code>eval()</code> and similar APIs</a> in the CSP guide for more usage information.</p></div></section><section aria-labelledby="wasm-unsafe-eval"><h3 id="wasm-unsafe-eval"><a href="#wasm-unsafe-eval">'wasm-unsafe-eval'</a></h3><div class="section-content"><p>By default, if a CSP contains a <code>default-src</code> or a <code>script-src</code> directive, then a page won't be allowed to compile WebAssembly using functions like <a href="/en-US/docs/WebAssembly/JavaScript_interface/compileStreaming_static"><code>WebAssembly.compileStreaming()</code></a>.</p> <p>The <code>wasm-unsafe-eval</code> keyword can be used to undo this protection. This is a much safer alternative to <code>'unsafe-eval'</code>, since it does not enable general evaluation of JavaScript.</p></div></section><section aria-labelledby="unsafe-inline"><h3 id="unsafe-inline"><a href="#unsafe-inline">'unsafe-inline'</a></h3><div class="section-content"><p>By default, if a CSP contains a <code>default-src</code> or a <code>script-src</code> directive, then inline JavaScript is not allowed to execute. This includes:</p> <ul> <li>inline <code>&lt;script&gt;</code> tags</li> <li>inline event handler attributes</li> <li><code>javascript:</code> URLs.</li> </ul> <p>Similarly, if a CSP contains <code>default-src</code> or a <code>style-src</code> directive, then inline CSS will not be loaded, including:</p> <ul> <li>inline <code>&lt;style&gt;</code> tags</li> <li><a href="/en-US/docs/Web/API/HTMLElement/style" title="style"><code>style</code></a> attributes.</li> </ul> <p>The <code>unsafe-inline</code> keyword can be used to undo this protection, allowing all these forms to be loaded.</p> <div class="notecard warning"> <p><strong>Warning:</strong> Developers should avoid <code>'unsafe-inline'</code>, because it defeats much of the purpose of having a CSP.</p> </div> <p>See <a href="/en-US/docs/Web/HTTP/CSP#inline_javascript">Inline JavaScript</a> in the CSP guide for more usage information.</p></div></section><section aria-labelledby="unsafe-hashes"><h3 id="unsafe-hashes"><a href="#unsafe-hashes">'unsafe-hashes'</a></h3><div class="section-content"><p>By default, if a CSP contains a <code>default-src</code> or a <code>script-src</code> directive, then inline event handler attributes like <code>onclick</code> and inline <code>style</code> attributes are not allowed to execute.</p> <p>The <code>'unsafe-hashes'</code> expression allows the browser to use <a href="#hash_algorithm-hash_value">hash expressions</a> for inline event handlers and <code>style</code> attributes. For example, a CSP might contain a directive like this:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>script-src 'unsafe-hashes' 'sha256-cd9827ad...' </code></pre></div> <p>If the hash value matches the hash of an inline event handler attribute value or of a <code>style</code> attribute value, then the code will be allowed to execute.</p> <div class="notecard warning"> <p><strong>Warning:</strong> The <code>'unsafe-hashes'</code> value is unsafe.</p> <p>In particular, it enables an attack in which the content of the inline event handler attribute is injected into the document as an inline <code>&lt;script&gt;</code> element. Suppose the inline event handler is:</p> <div class="code-example"><div class="example-header"><span class="language-name">html</span></div><pre class="brush: html notranslate"><code>&lt;button onclick="transferAllMyMoney()"&gt;Transfer all my money&lt;/button&gt; </code></pre></div> <p>If an attacker can inject an inline <code>&lt;script&gt;</code> element containing this code, the CSP will allow it to execute automatically.</p> <p>However, <code>'unsafe-hashes'</code> is much safer than <code>'unsafe-inline'</code>.</p> </div></div></section><section aria-labelledby="inline-speculation-rules"><h3 id="inline-speculation-rules"><a href="#inline-speculation-rules">'inline-speculation-rules'</a></h3><div class="section-content"><p>By default, if a CSP contains a <code>default-src</code> or a <code>script-src</code> directive, then inline JavaScript is not allowed to execute. The <code>'inline-speculation-rules'</code> allows the browser to load inline <code>&lt;script&gt;</code> elements that have a <a href="/en-US/docs/Web/HTML/Element/script/type"><code>type</code></a> attribute of <a href="/en-US/docs/Web/HTML/Element/script/type/speculationrules"><code>speculationrules</code></a>.</p> <p>See the <a href="/en-US/docs/Web/API/Speculation_Rules_API">Speculation Rules API</a> for more information.</p></div></section><section aria-labelledby="strict-dynamic"><h3 id="strict-dynamic"><a href="#strict-dynamic">'strict-dynamic'</a></h3><div class="section-content"><p>The <code>'strict-dynamic'</code> keyword makes the trust conferred on a script by a <a href="#nonce-nonce_value">nonce</a> or a <a href="#hash_algorithm-hash_value">hash</a> extend to scripts that this script dynamically loads, for example by creating new <code>&lt;script&gt;</code> tags using <a href="/en-US/docs/Web/API/Document/createElement"><code>Document.createElement()</code></a> and then inserting them into the document using <a href="/en-US/docs/Web/API/Node/appendChild"><code>Node.appendChild()</code></a>.</p> <p>If this keyword is present in a directive, then the following source expression values are all ignored:</p> <ul> <li><a href="#host-source">&lt;host-source&gt;</a></li> <li><a href="#scheme-source">&lt;scheme-source&gt;</a></li> <li><a href="#self"><code>'self'</code></a></li> <li><a href="#unsafe-inline"><code>'unsafe-inline'</code></a></li> </ul> <p>See <a href="/en-US/docs/Web/HTTP/CSP#the_strict-dynamic_keyword">The <code>strict-dynamic</code> keyword</a> in the CSP guide for more usage information.</p></div></section><section aria-labelledby="report-sample"><h3 id="report-sample"><a href="#report-sample">'report-sample'</a></h3><div class="section-content"><p>If this expression is included in a directive controlling scripts or styles, and the directive causes the browser to block any inline scripts, inline styles, or event handler attributes, then the <a href="/en-US/docs/Web/HTTP/CSP#violation_reporting">violation report</a> that the browser generates will contain a <a href="/en-US/docs/Web/API/CSPViolationReportBody/sample" title="sample"><code>sample</code></a> property containing the first 40 characters of the blocked resource.</p></div></section><section aria-labelledby="csp_in_workers"><h2 id="csp_in_workers"><a href="#csp_in_workers">CSP in workers</a></h2><div class="section-content"><p> <a href="/en-US/docs/Web/API/Worker">Workers</a> are in general <em>not</em> governed by the content security policy of the document (or parent worker) that created them. To specify a content security policy for the worker, set a <code>Content-Security-Policy</code> response header for the request which requested the worker script itself. </p> <p> The exception to this is if the worker script's origin is a globally unique identifier (for example, if its URL has a scheme of data or blob). In this case, the worker does inherit the content security policy of the document or worker that created it. </p></div></section><section aria-labelledby="multiple_content_security_policies"><h2 id="multiple_content_security_policies"><a href="#multiple_content_security_policies">Multiple content security policies</a></h2><div class="section-content"><p> The CSP mechanism allows multiple policies being specified for a resource, including via the <code>Content-Security-Policy</code> header, the <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only"><code>Content-Security-Policy-Report-Only</code></a> header and a <a href="/en-US/docs/Web/HTML/Element/meta"><code>&lt;meta&gt;</code></a> element. </p> <p> You can use the <code>Content-Security-Policy</code> header more than once, as in the example below. Pay special attention to the <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src"><code>connect-src</code></a> directive here. Even though the second policy would allow the connection, the first policy contains <code>connect-src 'none'</code>. Adding additional policies <em>can only further restrict</em> the capabilities of the protected resource, which means that there will be no connection allowed and, as the strictest policy, <code>connect-src 'none'</code> is enforced. </p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Content-Security-Policy: default-src 'self' http://example.com; connect-src 'none'; Content-Security-Policy: connect-src http://example.com/; script-src http://example.com/ </code></pre></div></div></section><section aria-labelledby="examples"><h2 id="examples"><a href="#examples">Examples</a></h2><div class="section-content"></div></section><section aria-labelledby="disable_unsafe_inline_code_and_only_allow_https_resources"><h3 id="disable_unsafe_inline_code_and_only_allow_https_resources"><a href="#disable_unsafe_inline_code_and_only_allow_https_resources">Disable unsafe inline code and only allow HTTPS resources</a></h3><div class="section-content"><p> This HTTP header sets the default policy to only allow resource loading (images, fonts, scripts, etc.) over HTTPS. Because the <code>unsafe-inline</code> and <code>unsafe-eval</code> directives are not set, inline scripts will be blocked. </p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Content-Security-Policy: default-src https: </code></pre></div> <p>The same restrictions can be applied using the HTML <a href="/en-US/docs/Web/HTML/Element/meta"><code>&lt;meta&gt;</code></a> element.</p> <div class="code-example"><div class="example-header"><span class="language-name">html</span></div><pre class="brush: html notranslate"><code>&lt;meta http-equiv="Content-Security-Policy" content="default-src https:" /&gt; </code></pre></div></div></section><section aria-labelledby="allow_inline_code_and_https_resources_but_disable_plugins"><h3 id="allow_inline_code_and_https_resources_but_disable_plugins"><a href="#allow_inline_code_and_https_resources_but_disable_plugins">Allow inline code and HTTPS resources, but disable plugins</a></h3><div class="section-content"><p>This policy could be used on a pre-existing site that uses too much inline code to fix, to ensure resources are loaded only over HTTPS and disable plugins:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none' </code></pre></div></div></section><section aria-labelledby="report_but_dont_enforce_violations_when_testing"><h3 id="report_but_dont_enforce_violations_when_testing"><a href="#report_but_dont_enforce_violations_when_testing">Report but don't enforce violations when testing</a></h3><div class="section-content"><p> This example sets the same restrictions as the previous example, but using the <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only"><code>Content-Security-Policy-Report-Only</code></a> header and the <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to"><code>report-to</code></a> directive. This approach is used during testing to report violations but not block code from executing. </p> <p>Endpoints (URLs) to send reports to are defined using the <a href="/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints"><code>Reporting-Endpoints</code></a> HTTP response header.</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports" </code></pre></div> <p>A particular endpoint is then selected as the report target in the CSP policy using the <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to"><code>report-to</code></a> directive.</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-url/; report-to csp-endpoint </code></pre></div> <p>Note that the <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri"><code>report-uri</code></a> <abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr> directive is also specified above because <code>report-to</code> is not yet broadly supported by browsers.</p> <p>See <a href="/en-US/docs/Web/Security/Practical_implementation_guides/CSP">Content Security Policy (CSP) implementation</a> for more examples.</p></div></section><h2 id="specifications"><a href="#specifications">Specifications</a></h2><table class="standard-table"><thead><tr><th scope="col">Specification</th></tr></thead><tbody><tr><td><a href="https://w3c.github.io/webappsec-csp/#csp-header">Content Security Policy Level 3<!-- --> <br/><small># <!-- -->csp-header</small></a></td></tr></tbody></table><h2 id="browser_compatibility"><a href="#browser_compatibility">Browser compatibility</a></h2><p>BCD tables only load in the browser<noscript> <!-- -->with JavaScript enabled. Enable JavaScript to view data.</noscript></p><section aria-labelledby="see_also"><h2 id="see_also"><a href="#see_also">See also</a></h2><div class="section-content"><ul> <li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only"><code>Content-Security-Policy-Report-Only</code></a></li> <li><a href="/en-US/docs/Web/HTTP/CSP">Learn about: Content Security Policy</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy">Content Security in WebExtensions</a></li> <li><a href="https://csp.withgoogle.com/docs/strict-csp.html" class="external" target="_blank">Adopting a strict policy</a></li> <li> <a href="https://github.com/google/csp-evaluator" class="external" target="_blank">CSP Evaluator</a> - Evaluate your Content Security Policy </li> </ul></div></section></article><aside class="article-footer"><div class="article-footer-inner"><div class="svg-container"><svg xmlns="http://www.w3.org/2000/svg" width="162" height="162" viewBox="0 0 162 162" fill="none" role="none"><mask id="b" fill="#fff"><path d="M97.203 47.04c8.113-7.886 18.004-13.871 28.906-17.492a78 78 0 0 1 33.969-3.39c11.443 1.39 22.401 5.295 32.024 11.411s17.656 14.28 23.476 23.86c5.819 9.579 9.269 20.318 10.083 31.385a69.85 69.85 0 0 1-5.387 32.44c-4.358 10.272-11.115 19.443-19.747 26.801-8.632 7.359-18.908 12.709-30.034 15.637l-6.17-21.698c7.666-2.017 14.746-5.703 20.694-10.773 5.948-5.071 10.603-11.389 13.606-18.467a48.14 48.14 0 0 0 3.712-22.352c-.561-7.625-2.938-15.025-6.948-21.625s-9.544-12.226-16.175-16.44-14.181-6.904-22.065-7.863a53.75 53.75 0 0 0-23.405 2.336c-7.513 2.495-14.327 6.62-19.918 12.053z"></path></mask><path stroke="url(#a)" stroke-dasharray="6, 6" stroke-width="2" d="M97.203 47.04c8.113-7.886 18.004-13.871 28.906-17.492a78 78 0 0 1 33.969-3.39c11.443 1.39 22.401 5.295 32.024 11.411s17.656 14.28 23.476 23.86c5.819 9.579 9.269 20.318 10.083 31.385a69.85 69.85 0 0 1-5.387 32.44c-4.358 10.272-11.115 19.443-19.747 26.801-8.632 7.359-18.908 12.709-30.034 15.637l-6.17-21.698c7.666-2.017 14.746-5.703 20.694-10.773 5.948-5.071 10.603-11.389 13.606-18.467a48.14 48.14 0 0 0 3.712-22.352c-.561-7.625-2.938-15.025-6.948-21.625s-9.544-12.226-16.175-16.44-14.181-6.904-22.065-7.863a53.75 53.75 0 0 0-23.405 2.336c-7.513 2.495-14.327 6.62-19.918 12.053z" mask="url(#b)" style="stroke:url(#a)" transform="translate(-63.992 -25.587)"></path><ellipse cx="8.066" cy="111.597" fill="var(--background-tertiary)" rx="53.677" ry="53.699" transform="matrix(.71707 -.697 .7243 .6895 0 0)"></ellipse><g clip-path="url(#c)" transform="translate(-63.992 -25.587)"><path fill="#9abff5" d="m144.256 137.379 32.906 12.434a4.41 4.41 0 0 1 2.559 5.667l-9.326 24.679a4.41 4.41 0 0 1-5.667 2.559l-8.226-3.108-2.332 6.17c-.466 1.233-.375 1.883-1.609 1.417l-2.253-.527c-.411-.155-.95-.594-1.206-1.161l-4.734-10.484-12.545-4.741a4.41 4.41 0 0 1-2.559-5.667l9.325-24.679a4.41 4.41 0 0 1 5.667-2.559m9.961 29.617 8.227 3.108 3.264-8.638-.498-6.768-4.113-1.555.548 7.258-4.319-1.632zm-12.339-4.663 8.226 3.108 3.264-8.637-.498-6.769-4.113-1.554.548 7.257-4.319-1.632z"></path></g><g clip-path="url(#d)" transform="translate(-63.992 -25.587)"><path fill="#81b0f3" d="M135.35 60.136 86.67 41.654c-3.346-1.27-7.124.428-8.394 3.775L64.414 81.938c-1.27 3.347.428 7.125 3.774 8.395l12.17 4.62-3.465 9.128c-.693 1.826-1.432 2.457.394 3.15l3.014 1.625c.609.231 1.637.274 2.477-.104l15.53-6.983 18.56 7.047c3.346 1.27 7.124-.428 8.395-3.775l13.862-36.51c1.27-3.346-.428-7.124-3.775-8.395M95.261 83.207l-12.17-4.62 4.852-12.779 7.19-7.017 6.085 2.31-7.725 7.51 6.389 2.426zm18.255 6.93-12.17-4.62 4.852-12.778 7.189-7.017 6.085 2.31-7.725 7.51 6.39 2.426z"></path></g><defs><clipPath id="c"><path fill="#fff" d="m198.638 146.586-65.056-24.583-24.583 65.057 65.056 24.582z"></path></clipPath><clipPath id="d"><path fill="#fff" d="m66.438 14.055 96.242 36.54-36.54 96.243-96.243-36.54z"></path></clipPath><linearGradient id="a" x1="97.203" x2="199.995" y1="47.04" y2="152.793" gradientUnits="userSpaceOnUse"><stop stop-color="#086DFC"></stop><stop offset="0.246" stop-color="#2C81FA"></stop><stop offset="0.516" stop-color="#5497F8"></stop><stop offset="0.821" stop-color="#80B0F6"></stop><stop offset="1" stop-color="#9ABFF5"></stop></linearGradient></defs></svg></div><h2>Help improve MDN</h2><fieldset class="feedback"><label>Was this page helpful to you?</label><div class="button-container"><button type="button" class="button primary has-icon yes"><span class="button-wrap"><span class="icon icon-thumbs-up "></span>Yes</span></button><button type="button" class="button primary has-icon no"><span class="button-wrap"><span class="icon icon-thumbs-down "></span>No</span></button></div></fieldset><a class="contribute" href="https://github.com/mdn/content/blob/main/CONTRIBUTING.md" title="This will take you to our contribution guidelines on GitHub." target="_blank" rel="noopener noreferrer">Learn how to contribute</a>.<p class="last-modified-date">This page was last modified on<!-- --> <time dateTime="2024-11-19T04:36:44.000Z">Nov 19, 2024</time> by<!-- --> <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/contributors.txt" rel="nofollow">MDN contributors</a>.</p><div id="on-github" class="on-github"><a href="https://github.com/mdn/content/blob/main/files/en-us/web/http/headers/content-security-policy/index.md?plain=1" title="Folder: en-us/web/http/headers/content-security-policy (Opens in a new tab)" target="_blank" rel="noopener noreferrer">View this page on GitHub</a> <!-- -->•<!-- --> <a href="https://github.com/mdn/content/issues/new?template=page-report.yml&amp;mdn-url=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FContent-Security-Policy&amp;metadata=%3C%21--+Do+not+make+changes+below+this+line+--%3E%0A%3Cdetails%3E%0A%3Csummary%3EPage+report+details%3C%2Fsummary%3E%0A%0A*+Folder%3A+%60en-us%2Fweb%2Fhttp%2Fheaders%2Fcontent-security-policy%60%0A*+MDN+URL%3A+https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FContent-Security-Policy%0A*+GitHub+URL%3A+https%3A%2F%2Fgithub.com%2Fmdn%2Fcontent%2Fblob%2Fmain%2Ffiles%2Fen-us%2Fweb%2Fhttp%2Fheaders%2Fcontent-security-policy%2Findex.md%0A*+Last+commit%3A+https%3A%2F%2Fgithub.com%2Fmdn%2Fcontent%2Fcommit%2F6368e2b112a343fa00ae1a8cf51ceb0b0b845834%0A*+Document+last+modified%3A+2024-11-19T04%3A36%3A44.000Z%0A%0A%3C%2Fdetails%3E" title="This will take you to GitHub to file a new issue." target="_blank" rel="noopener noreferrer">Report a problem with this content</a></div></div></aside></main></div></div><footer id="nav-footer" class="page-footer"><div class="page-footer-grid"><div class="page-footer-logo-col"><a href="/" class="mdn-footer-logo" aria-label="MDN homepage"><svg width="48" height="17" viewBox="0 0 48 17" fill="none" xmlns="http://www.w3.org/2000/svg"><title id="mdn-footer-logo-svg">MDN logo</title><path d="M20.04 16.512H15.504V10.416C15.504 9.488 15.344 8.824 15.024 8.424C14.72 8.024 14.264 7.824 13.656 7.824C12.92 7.824 12.384 8.064 12.048 8.544C11.728 9.024 11.568 9.64 11.568 10.392V14.184H13.008V16.512H8.472V10.416C8.472 9.488 8.312 8.824 7.992 8.424C7.688 8.024 7.232 7.824 6.624 7.824C5.872 7.824 5.336 8.064 5.016 8.544C4.696 9.024 4.536 9.64 4.536 10.392V14.184H6.6V16.512H0V14.184H1.44V8.04H0.024V5.688H4.536V7.32C5.224 6.088 6.32 5.472 7.824 5.472C8.608 5.472 9.328 5.664 9.984 6.048C10.64 6.432 11.096 7.016 11.352 7.8C11.992 6.248 13.168 5.472 14.88 5.472C15.856 5.472 16.72 5.776 17.472 6.384C18.224 6.992 18.6 7.936 18.6 9.216V14.184H20.04V16.512Z" fill="currentColor"></path><path d="M33.6714 16.512H29.1354V14.496C28.8314 15.12 28.3834 15.656 27.7914 16.104C27.1994 16.536 26.4154 16.752 25.4394 16.752C24.0154 16.752 22.8954 16.264 22.0794 15.288C21.2634 14.312 20.8554 12.984 20.8554 11.304C20.8554 9.688 21.2554 8.312 22.0554 7.176C22.8554 6.04 24.0634 5.472 25.6794 5.472C26.5594 5.472 27.2794 5.648 27.8394 6C28.3994 6.352 28.8314 6.8 29.1354 7.344V2.352H26.9754V0H32.2314V14.184H33.6714V16.512ZM29.1354 11.04V10.776C29.1354 9.88 28.8954 9.184 28.4154 8.688C27.9514 8.176 27.3674 7.92 26.6634 7.92C25.9754 7.92 25.3674 8.176 24.8394 8.688C24.3274 9.2 24.0714 10.008 24.0714 11.112C24.0714 12.152 24.3114 12.944 24.7914 13.488C25.2714 14.032 25.8394 14.304 26.4954 14.304C27.3114 14.304 27.9514 13.96 28.4154 13.272C28.8954 12.584 29.1354 11.84 29.1354 11.04Z" fill="currentColor"></path><path d="M47.9589 16.512H41.9829V14.184H43.4229V10.416C43.4229 9.488 43.2629 8.824 42.9429 8.424C42.6389 8.024 42.1829 7.824 41.5749 7.824C40.8389 7.824 40.2709 8.056 39.8709 8.52C39.4709 8.968 39.2629 9.56 39.2469 10.296V14.184H40.6869V16.512H34.7109V14.184H36.1509V8.04H34.5909V5.688H39.2469V7.344C39.9669 6.096 41.1269 5.472 42.7269 5.472C43.7509 5.472 44.6389 5.776 45.3909 6.384C46.1429 6.992 46.5189 7.936 46.5189 9.216V14.184H47.9589V16.512Z" fill="currentColor"></path></svg></a><p>Your blueprint for a better internet.</p><ul class="social-icons"><li><a href="https://mozilla.social/@mdn" target="_blank" rel="me noopener noreferrer"><span class="icon icon-mastodon"></span><span class="visually-hidden">MDN on Mastodon</span></a></li><li><a href="https://twitter.com/mozdevnet" target="_blank" rel="noopener noreferrer"><span class="icon icon-twitter-x"></span><span class="visually-hidden">MDN on X (formerly Twitter)</span></a></li><li><a href="https://github.com/mdn/" target="_blank" rel="noopener noreferrer"><span class="icon icon-github-mark-small"></span><span class="visually-hidden">MDN on GitHub</span></a></li><li><a href="/en-US/blog/rss.xml" target="_blank"><span class="icon icon-feed"></span><span class="visually-hidden">MDN Blog RSS Feed</span></a></li></ul></div><div class="page-footer-nav-col-1"><h2 class="footer-nav-heading">MDN</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a href="/en-US/about">About</a></li><li class="footer-nav-item"><a href="/en-US/blog/">Blog</a></li><li class="footer-nav-item"><a href="https://www.mozilla.org/en-US/careers/listings/?team=ProdOps" target="_blank" rel="noopener noreferrer">Careers</a></li><li class="footer-nav-item"><a href="/en-US/advertising">Advertise with us</a></li></ul></div><div class="page-footer-nav-col-2"><h2 class="footer-nav-heading">Support</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="https://support.mozilla.org/products/mdn-plus">Product help</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/MDN/Community/Issues">Report an issue</a></li></ul></div><div class="page-footer-nav-col-3"><h2 class="footer-nav-heading">Our communities</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/community">MDN Community</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="https://discourse.mozilla.org/c/mdn/236" target="_blank" rel="noopener noreferrer">MDN Forum</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/discord" target="_blank" rel="noopener noreferrer">MDN Chat</a></li></ul></div><div class="page-footer-nav-col-4"><h2 class="footer-nav-heading">Developers</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/Web">Web Technologies</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/Learn">Learn Web Development</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/plus">MDN Plus</a></li><li class="footer-nav-item"><a href="https://hacks.mozilla.org/" target="_blank" rel="noopener noreferrer">Hacks Blog</a></li></ul></div><div class="page-footer-moz"><a href="https://www.mozilla.org/" class="footer-moz-logo-link" target="_blank" rel="noopener noreferrer"><svg width="112" height="32" fill="none" xmlns="http://www.w3.org/2000/svg"><title id="mozilla-footer-logo-svg">Mozilla logo</title><path d="M41.753 14.218c-2.048 0-3.324 1.522-3.324 4.157 0 2.423 1.119 4.286 3.29 4.286 2.082 0 3.447-1.678 3.447-4.347 0-2.826-1.522-4.096-3.413-4.096Zm54.89 7.044c0 .901.437 1.618 1.645 1.618 1.427 0 2.949-1.024 3.044-3.352-.649-.095-1.365-.185-2.02-.185-1.426-.005-2.668.397-2.668 1.92Z" fill="currentColor"></path><path d="M0 0v32h111.908V0H0Zm32.56 25.426h-5.87v-7.884c0-2.423-.806-3.352-2.39-3.352-1.924 0-2.702 1.365-2.702 3.324v4.868h1.864v3.044h-5.864v-7.884c0-2.423-.806-3.352-2.39-3.352-1.924 0-2.702 1.365-2.702 3.324v4.868h2.669v3.044H6.642v-3.044h1.863v-7.918H6.642V11.42h5.864v2.11c.839-1.489 2.3-2.39 4.252-2.39 2.02 0 3.878.963 4.566 3.01.778-1.862 2.361-3.01 4.566-3.01 2.512 0 4.812 1.522 4.812 4.84v6.402h1.863v3.044h-.005Zm9.036.307c-4.314 0-7.296-2.635-7.296-7.106 0-4.096 2.484-7.481 7.514-7.481s7.481 3.38 7.481 7.29c0 4.472-3.228 7.297-7.699 7.297Zm22.578-.307H51.942l-.403-2.11 7.7-8.846h-4.376l-.621 2.17-2.888-.313.498-4.907h12.294l.313 2.11-7.767 8.852h4.533l.654-2.172 3.167.308-.872 4.908Zm7.99 0h-4.191v-5.03h4.19v5.03Zm0-8.976h-4.191v-5.03h4.19v5.03Zm2.618 8.976 6.054-21.358h3.945l-6.054 21.358h-3.945Zm8.136 0 6.048-21.358h3.945l-6.054 21.358h-3.939Zm21.486.307c-1.863 0-2.887-1.085-3.072-2.792-.805 1.427-2.232 2.792-4.498 2.792-2.02 0-4.314-1.085-4.314-4.006 0-3.447 3.323-4.253 6.518-4.253.778 0 1.584.034 2.3.124v-.465c0-1.427-.034-3.133-2.3-3.133-.84 0-1.488.061-2.143.402l-.453 1.578-3.195-.34.549-3.224c2.45-.996 3.692-1.27 5.992-1.27 3.01 0 5.556 1.55 5.556 4.75v6.083c0 .805.314 1.085.963 1.085.184 0 .375-.034.587-.095l.034 2.11a5.432 5.432 0 0 1-2.524.654Z" fill="currentColor"></path></svg></a><ul class="footer-moz-list"><li class="footer-moz-item"><a href="https://www.mozilla.org/privacy/websites/" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Website Privacy Notice</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/privacy/websites/#cookies" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Cookies</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/about/legal/terms/mozilla" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Legal</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/about/governance/policies/participation/" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Community Participation Guidelines</a></li></ul></div><div class="page-footer-legal"><p id="license" class="page-footer-legal-text">Visit<!-- --> <a href="https://www.mozilla.org" target="_blank" rel="noopener noreferrer">Mozilla Corporation’s</a> <!-- -->not-for-profit parent, the<!-- --> <a target="_blank" rel="noopener noreferrer" href="https://foundation.mozilla.org/">Mozilla Foundation</a>.<br/>Portions of this content are ©1998–<!-- -->2024<!-- --> by individual mozilla.org contributors. Content available under<!-- --> <a href="/en-US/docs/MDN/Writing_guidelines/Attrib_copyright_license">a Creative Commons license</a>.</p></div></div></footer></div><script type="application/json" id="hydration">{"url":"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy","doc":{"isMarkdown":true,"isTranslated":false,"isActive":true,"flaws":{},"title":"Content-Security-Policy","mdn_url":"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy","locale":"en-US","native":"English (US)","browserCompat":["http.headers.Content-Security-Policy"],"baseline":{"baseline":"high","baseline_high_date":"2019-02-02","baseline_low_date":"2016-08-02","support":{"chrome":"25","chrome_android":"25","edge":"14","firefox":"23","firefox_android":"23","safari":"7","safari_ios":"7"}},"sidebarHTML":"\n <ol>\n <li class=\"section\"><a href=\"/en-US/docs/Web/HTTP\">HTTP</a></li>\n <li class=\"section no-link\">Guides</li>\n <li><a href=\"/en-US/docs/Web/HTTP/Overview\">An overview of HTTP</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Session\">A typical HTTP session</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Messages\">HTTP messages</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/MIME_types\">MIME types (IANA media types)</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Compression\">Compression in HTTP</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Caching\">HTTP caching</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Authentication\">HTTP authentication</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Cookies\">Using HTTP cookies</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Redirections\">Redirections in HTTP</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Conditional_requests\">HTTP conditional requests</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Range_requests\">HTTP range requests</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Content_negotiation\">Content negotiation</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Connection_management_in_HTTP_1.x\">Connection management in HTTP/1.x</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Evolution_of_HTTP\">Evolution of HTTP</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism\">Protocol upgrade mechanism</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling\">Proxy servers and tunneling</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Client_hints\">HTTP Client hints</a></li>\n <li class=\"toggle\">\n <details>\n <summary>Security and privacy</summary>\n <ol>\n <li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides\">Practical security implementation guides</a></li>\n <li><a href=\"/en-US/observatory\">HTTP Observatory</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Permissions_Policy\">Permissions Policy</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/CSP\">Content Security Policy (CSP)</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/CORS\">Cross-Origin Resource Sharing (CORS)</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy\">Cross-Origin Resource Policy (CORP)</a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security\">Strict-Transport-Security</a></li>\n </ol>\n </details>\n </li>\n <li class=\"section no-link\">References</li>\n <li class=\"toggle\">\n <details open=\"\">\n <summary>HTTP headers</summary>\n <ol><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept\"><code>Accept</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-CH\"><code>Accept-CH</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Encoding\"><code>Accept-Encoding</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Language\"><code>Accept-Language</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Patch\"><code>Accept-Patch</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Post\"><code>Accept-Post</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Ranges\"><code>Accept-Ranges</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials\"><code>Access-Control-Allow-Credentials</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers\"><code>Access-Control-Allow-Headers</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods\"><code>Access-Control-Allow-Methods</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin\"><code>Access-Control-Allow-Origin</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers\"><code>Access-Control-Expose-Headers</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age\"><code>Access-Control-Max-Age</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers\"><code>Access-Control-Request-Headers</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method\"><code>Access-Control-Request-Method</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Age\"><code>Age</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Allow\"><code>Allow</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Alt-Svc\"><code>Alt-Svc</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Alt-Used\"><code>Alt-Used</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Eligible\"><code>Attribution-Reporting-Eligible</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Source\"><code>Attribution-Reporting-Register-Source</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Trigger\"><code>Attribution-Reporting-Register-Trigger</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Authorization\"><code>Authorization</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cache-Control\"><code>Cache-Control</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Clear-Site-Data\"><code>Clear-Site-Data</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Connection\"><code>Connection</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Digest\"><code>Content-Digest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Disposition\"><code>Content-Disposition</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-DPR\"><code>Content-DPR</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Encoding\"><code>Content-Encoding</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Language\"><code>Content-Language</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Length\"><code>Content-Length</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Location\"><code>Content-Location</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Range\"><code>Content-Range</code></a></li><li><em><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\" aria-current=\"page\"><code>Content-Security-Policy</code></a></em></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only\"><code>Content-Security-Policy-Report-Only</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Type\"><code>Content-Type</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cookie\"><code>Cookie</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Critical-CH\"><code>Critical-CH</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy\"><code>Cross-Origin-Embedder-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy\"><code>Cross-Origin-Opener-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy\"><code>Cross-Origin-Resource-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Date\"><code>Date</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Device-Memory\"><code>Device-Memory</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Digest\"><code>Digest</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/DNT\"><code>DNT</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Downlink\"><code>Downlink</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/DPR\"><code>DPR</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Early-Data\"><code>Early-Data</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/ECT\"><code>ECT</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/ETag\"><code>ETag</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Expect\"><code>Expect</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Expect-CT\"><code>Expect-CT</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Expires\"><code>Expires</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Forwarded\"><code>Forwarded</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/From\"><code>From</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Host\"><code>Host</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Match\"><code>If-Match</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Modified-Since\"><code>If-Modified-Since</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-None-Match\"><code>If-None-Match</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Range\"><code>If-Range</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since\"><code>If-Unmodified-Since</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Keep-Alive\"><code>Keep-Alive</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Last-Modified\"><code>Last-Modified</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Link\"><code>Link</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Location\"><code>Location</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Max-Forwards\"><code>Max-Forwards</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/NEL\"><code>NEL</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/No-Vary-Search\"><code>No-Vary-Search</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Observe-Browsing-Topics\"><code>Observe-Browsing-Topics</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Origin\"><code>Origin</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Origin-Agent-Cluster\"><code>Origin-Agent-Cluster</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy\"><code>Permissions-Policy</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Pragma\"><code>Pragma</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Priority\"><code>Priority</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Proxy-Authenticate\"><code>Proxy-Authenticate</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Proxy-Authorization\"><code>Proxy-Authorization</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Range\"><code>Range</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Referer\"><code>Referer</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Referrer-Policy\"><code>Referrer-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Refresh\"><code>Refresh</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Report-To\"><code>Report-To</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints\"><code>Reporting-Endpoints</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Repr-Digest\"><code>Repr-Digest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Retry-After\"><code>Retry-After</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/RTT\"><code>RTT</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Save-Data\"><code>Save-Data</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Browsing-Topics\"><code>Sec-Browsing-Topics</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Color-Scheme\"><code>Sec-CH-Prefers-Color-Scheme</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Motion\"><code>Sec-CH-Prefers-Reduced-Motion</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Transparency\"><code>Sec-CH-Prefers-Reduced-Transparency</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA\"><code>Sec-CH-UA</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Arch\"><code>Sec-CH-UA-Arch</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Bitness\"><code>Sec-CH-UA-Bitness</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version\"><code>Sec-CH-UA-Full-Version</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version-List\"><code>Sec-CH-UA-Full-Version-List</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Mobile\"><code>Sec-CH-UA-Mobile</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Model\"><code>Sec-CH-UA-Model</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform\"><code>Sec-CH-UA-Platform</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform-Version\"><code>Sec-CH-UA-Platform-Version</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest\"><code>Sec-Fetch-Dest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode\"><code>Sec-Fetch-Mode</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site\"><code>Sec-Fetch-Site</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User\"><code>Sec-Fetch-User</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-GPC\"><code>Sec-GPC</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Purpose\"><code>Sec-Purpose</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Accept\"><code>Sec-WebSocket-Accept</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Extensions\"><code>Sec-WebSocket-Extensions</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Key\"><code>Sec-WebSocket-Key</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Protocol\"><code>Sec-WebSocket-Protocol</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Version\"><code>Sec-WebSocket-Version</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Server\"><code>Server</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Server-Timing\"><code>Server-Timing</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Service-Worker-Navigation-Preload\"><code>Service-Worker-Navigation-Preload</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Set-Cookie\"><code>Set-Cookie</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Set-Login\"><code>Set-Login</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/SourceMap\"><code>SourceMap</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Speculation-Rules\"><code>Speculation-Rules</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security\"><code>Strict-Transport-Security</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Supports-Loading-Mode\"><code>Supports-Loading-Mode</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/TE\"><code>TE</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin\"><code>Timing-Allow-Origin</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Tk\"><code>Tk</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Trailer\"><code>Trailer</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Transfer-Encoding\"><code>Transfer-Encoding</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Upgrade\"><code>Upgrade</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests\"><code>Upgrade-Insecure-Requests</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/User-Agent\"><code>User-Agent</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Vary\"><code>Vary</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Via\"><code>Via</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Viewport-Width\"><code>Viewport-Width</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Want-Content-Digest\"><code>Want-Content-Digest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Want-Digest\"><code>Want-Digest</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Want-Repr-Digest\"><code>Want-Repr-Digest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Warning\"><code>Warning</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Width\"><code>Width</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/WWW-Authenticate\"><code>WWW-Authenticate</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options\"><code>X-Content-Type-Options</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control\"><code>X-DNS-Prefetch-Control</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Forwarded-For\"><code>X-Forwarded-For</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host\"><code>X-Forwarded-Host</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto\"><code>X-Forwarded-Proto</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Frame-Options\"><code>X-Frame-Options</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-XSS-Protection\"><code>X-XSS-Protection</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li></ol>\n </details>\n </li>\n <li class=\"toggle\">\n <details>\n <summary>HTTP request methods</summary>\n <ol><li><a href=\"/en-US/docs/Web/HTTP/Methods/CONNECT\"><code>CONNECT</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/DELETE\"><code>DELETE</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/GET\"><code>GET</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/HEAD\"><code>HEAD</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/OPTIONS\"><code>OPTIONS</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/PATCH\"><code>PATCH</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/POST\"><code>POST</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/PUT\"><code>PUT</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/TRACE\"><code>TRACE</code></a></li></ol>\n </details>\n </li>\n <li class=\"toggle\">\n <details>\n <summary>HTTP response status codes</summary>\n <ol><li><a href=\"/en-US/docs/Web/HTTP/Status/100\"><code>100 Continue</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/101\"><code>101 Switching Protocols</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/102\"><code>102 Processing</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/103\"><code>103 Early Hints</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/200\"><code>200 OK</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/201\"><code>201 Created</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/202\"><code>202 Accepted</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/203\"><code>203 Non-Authoritative Information</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/204\"><code>204 No Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/205\"><code>205 Reset Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/206\"><code>206 Partial Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/207\"><code>207 Multi-Status</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/208\"><code>208 Already Reported</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/226\"><code>226 IM Used</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/300\"><code>300 Multiple Choices</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/301\"><code>301 Moved Permanently</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/302\"><code>302 Found</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/303\"><code>303 See Other</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/304\"><code>304 Not Modified</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/307\"><code>307 Temporary Redirect</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/308\"><code>308 Permanent Redirect</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/400\"><code>400 Bad Request</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/401\"><code>401 Unauthorized</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/402\"><code>402 Payment Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/403\"><code>403 Forbidden</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/404\"><code>404 Not Found</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/405\"><code>405 Method Not Allowed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/406\"><code>406 Not Acceptable</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/407\"><code>407 Proxy Authentication Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/408\"><code>408 Request Timeout</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/409\"><code>409 Conflict</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/410\"><code>410 Gone</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/411\"><code>411 Length Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/412\"><code>412 Precondition Failed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/413\"><code>413 Content Too Large</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/414\"><code>414 URI Too Long</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/415\"><code>415 Unsupported Media Type</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/416\"><code>416 Range Not Satisfiable</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/417\"><code>417 Expectation Failed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/418\"><code>418 I'm a teapot</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/421\"><code>421 Misdirected Request</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/422\"><code>422 Unprocessable Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/423\"><code>423 Locked</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/424\"><code>424 Failed Dependency</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/425\"><code>425 Too Early</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/426\"><code>426 Upgrade Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/428\"><code>428 Precondition Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/429\"><code>429 Too Many Requests</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/431\"><code>431 Request Header Fields Too Large</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/451\"><code>451 Unavailable For Legal Reasons</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/500\"><code>500 Internal Server Error</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/501\"><code>501 Not Implemented</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/502\"><code>502 Bad Gateway</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/503\"><code>503 Service Unavailable</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/504\"><code>504 Gateway Timeout</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/505\"><code>505 HTTP Version Not Supported</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/506\"><code>506 Variant Also Negotiates</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/507\"><code>507 Insufficient Storage</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/508\"><code>508 Loop Detected</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/510\"><code>510 Not Extended</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/511\"><code>511 Network Authentication Required</code></a></li></ol>\n </details>\n </li>\n <li class=\"toggle\">\n <details open=\"\">\n <summary>CSP directives</summary>\n <ol><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri\"><code>CSP: base-uri</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content\"><code>CSP: block-all-mixed-content</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src\"><code>CSP: child-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src\"><code>CSP: connect-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src\"><code>CSP: default-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/fenced-frame-src\"><code>CSP: fenced-frame-src</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src\"><code>CSP: font-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action\"><code>CSP: form-action</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors\"><code>CSP: frame-ancestors</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src\"><code>CSP: frame-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src\"><code>CSP: img-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src\"><code>CSP: manifest-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src\"><code>CSP: media-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src\"><code>CSP: object-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src\"><code>CSP: prefetch-src</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to\"><code>CSP: report-to</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri\"><code>CSP: report-uri</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for\"><code>CSP: require-trusted-types-for</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox\"><code>CSP: sandbox</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\"><code>CSP: script-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr\"><code>CSP: script-src-attr</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem\"><code>CSP: script-src-elem</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src\"><code>CSP: style-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr\"><code>CSP: style-src-attr</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem\"><code>CSP: style-src-elem</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types\"><code>CSP: trusted-types</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests\"><code>CSP: upgrade-insecure-requests</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src\"><code>CSP: worker-src</code></a></li></ol>\n </details>\n </li>\n <li class=\"toggle\">\n <details>\n <summary>CORS errors</summary>\n <ol><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSDisabled\">Reason: CORS disabled</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSAllowOriginNotMatchingOrigin\">Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowOrigin\">Reason: CORS header 'Access-Control-Allow-Origin' missing</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSOriginHeaderNotAdded\">Reason: CORS header 'Origin' cannot be added</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSPreflightDidNotSucceed\">Reason: CORS preflight channel did not succeed</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed\">Reason: CORS request did not succeed</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSExternalRedirectNotAllowed\">Reason: CORS request external redirect not allowed</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSRequestNotHttp\">Reason: CORS request not HTTP</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials\">Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMethodNotFound\">Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMIssingAllowCredentials\">Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowHeader\">Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowMethod\">Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Methods'</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowHeaderFromPreflight\">Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMultipleAllowOriginNotAllowed\">Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed</a></li></ol>\n </details>\n </li>\n <li class=\"toggle\">\n <details>\n <summary>Permissions-Policy directives</summary>\n <ol><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/accelerometer\">Permissions-Policy: accelerometer</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/ambient-light-sensor\">Permissions-Policy: ambient-light-sensor</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/attribution-reporting\">Permissions-Policy: attribution-reporting</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/autoplay\">Permissions-Policy: autoplay</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/bluetooth\">Permissions-Policy: bluetooth</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/browsing-topics\">Permissions-Policy: browsing-topics</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/camera\">Permissions-Policy: camera</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/compute-pressure\">Permissions-Policy: compute-pressure</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/display-capture\">Permissions-Policy: display-capture</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/document-domain\">Permissions-Policy: document-domain</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/encrypted-media\">Permissions-Policy: encrypted-media</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/fullscreen\">Permissions-Policy: fullscreen</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gamepad\">Permissions-Policy: gamepad</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/geolocation\">Permissions-Policy: geolocation</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gyroscope\">Permissions-Policy: gyroscope</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/hid\">Permissions-Policy: hid</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/identity-credentials-get\">Permissions-Policy: identity-credentials-get</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/idle-detection\">Permissions-Policy: idle-detection</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/local-fonts\">Permissions-Policy: local-fonts</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/magnetometer\">Permissions-Policy: magnetometer</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/microphone\">Permissions-Policy: microphone</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/midi\">Permissions-Policy: midi</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/otp-credentials\">Permissions-Policy: otp-credentials</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/payment\">Permissions-Policy: payment</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/picture-in-picture\">Permissions-Policy: picture-in-picture</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create\">Permissions-Policy: publickey-credentials-create</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get\">Permissions-Policy: publickey-credentials-get</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/screen-wake-lock\">Permissions-Policy: screen-wake-lock</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/serial\">Permissions-Policy: serial</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/speaker-selection\">Permissions-Policy: speaker-selection</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/storage-access\">Permissions-Policy: storage-access</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/usb\">Permissions-Policy: usb</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share\">Permissions-Policy: web-share</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/window-management\">Permissions-Policy: window-management</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking\">Permissions-Policy: xr-spatial-tracking</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></li></ol>\n </details>\n </li>\n <li><a href=\"/en-US/docs/Web/HTTP/Resources_and_specifications\">HTTP resources and specifications</a></li>\n </ol>\n","sidebarMacro":"HTTPSidebar","body":[{"type":"prose","value":{"id":null,"title":null,"isH3":false,"content":"<p>\n The HTTP <strong><code>Content-Security-Policy</code></strong> response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints.\n This helps guard against <a href=\"/en-US/docs/Glossary/Cross-site_scripting\">cross-site scripting</a> attacks.\n</p>\n<p>For more information, see the introductory article on <a href=\"/en-US/docs/Web/HTTP/CSP\">Content Security Policy (CSP)</a>.</p>\n<figure class=\"table-container\"><table class=\"properties\">\n <tbody>\n <tr>\n <th scope=\"row\">Header type</th>\n <td><a href=\"/en-US/docs/Glossary/Response_header\">Response header</a></td>\n </tr>\n <tr>\n <th scope=\"row\"><a href=\"/en-US/docs/Glossary/Forbidden_header_name\">Forbidden header name</a></th>\n <td>no</td>\n </tr>\n </tbody>\n</table></figure>"}},{"type":"prose","value":{"id":"syntax","title":"Syntax","isH3":false,"content":"<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Content-Security-Policy: &lt;policy-directive&gt;; &lt;policy-directive&gt;\n</code></pre></div>\n<p>\n where <code>&lt;policy-directive&gt;</code> consists of:\n <code>&lt;directive&gt; &lt;value&gt;</code> with no internal punctuation.\n</p>"}},{"type":"prose","value":{"id":"directives","title":"Directives","isH3":false,"content":""}},{"type":"prose","value":{"id":"fetch_directives","title":"Fetch directives","isH3":true,"content":"<p>Fetch directives control the locations from which certain resource types may be loaded.</p>\n<dl>\n <dt id=\"child-src\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src\"><code>child-src</code></a></dt>\n <dd>\n <p>\n Defines the valid sources for <a href=\"/en-US/docs/Web/API/Web_Workers_API\">web workers</a> and nested browsing contexts loaded using elements such as\n <a href=\"/en-US/docs/Web/HTML/Element/frame\"><code>&lt;frame&gt;</code></a> and <a href=\"/en-US/docs/Web/HTML/Element/iframe\"><code>&lt;iframe&gt;</code></a>.\n </p>\n <p><a href=\"#fallbacks\">Fallback</a> for <code>frame-src</code> and <code>worker-src</code>.</p>\n </dd>\n <dt id=\"connect-src\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src\"><code>connect-src</code></a></dt>\n <dd>\n <p>Restricts the URLs which can be loaded using script interfaces.</p>\n </dd>\n <dt id=\"default-src\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src\"><code>default-src</code></a></dt>\n <dd>\n <p>Serves as a fallback for the other <a href=\"/en-US/docs/Glossary/Fetch_directive\">fetch directives</a>.</p>\n <p><a href=\"#fallbacks\">Fallback</a> for all other fetch directives.</p>\n </dd>\n <dt id=\"fenced-frame-src\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/fenced-frame-src\"><code>fenced-frame-src</code></a> <abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></dt>\n <dd>\n <p>Specifies valid sources for nested browsing contexts loaded into <a href=\"/en-US/docs/Web/HTML/Element/fencedframe\"><code>&lt;fencedframe&gt;</code></a> elements.</p>\n </dd>\n <dt id=\"font-src\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src\"><code>font-src</code></a></dt>\n <dd>\n <p>Specifies valid sources for fonts loaded using <a href=\"/en-US/docs/Web/CSS/@font-face\"><code>@font-face</code></a>.</p>\n </dd>\n <dt id=\"frame-src\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src\"><code>frame-src</code></a></dt>\n <dd>\n <p>\n Specifies valid sources for nested browsing contexts loaded into elements such as\n <a href=\"/en-US/docs/Web/HTML/Element/frame\"><code>&lt;frame&gt;</code></a> and <a href=\"/en-US/docs/Web/HTML/Element/iframe\"><code>&lt;iframe&gt;</code></a>.\n </p>\n </dd>\n <dt id=\"img-src\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src\"><code>img-src</code></a></dt>\n <dd>\n <p>Specifies valid sources of images and favicons.</p>\n </dd>\n <dt id=\"manifest-src\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src\"><code>manifest-src</code></a></dt>\n <dd>\n <p>Specifies valid sources of application manifest files.</p>\n </dd>\n <dt id=\"media-src\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src\"><code>media-src</code></a></dt>\n <dd>\n <p>\n Specifies valid sources for loading media using the <a href=\"/en-US/docs/Web/HTML/Element/audio\"><code>&lt;audio&gt;</code></a>,\n <a href=\"/en-US/docs/Web/HTML/Element/video\"><code>&lt;video&gt;</code></a> and <a href=\"/en-US/docs/Web/HTML/Element/track\"><code>&lt;track&gt;</code></a> elements.\n </p>\n </dd>\n <dt id=\"object-src\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src\"><code>object-src</code></a></dt>\n <dd>\n <p>Specifies valid sources for the <a href=\"/en-US/docs/Web/HTML/Element/object\"><code>&lt;object&gt;</code></a> and <a href=\"/en-US/docs/Web/HTML/Element/embed\"><code>&lt;embed&gt;</code></a> elements.</p>\n </dd>\n <dt id=\"prefetch-src\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src\"><code>prefetch-src</code></a> <abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr> <abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n <span class=\"visually-hidden\">Non-standard</span>\n</abbr></dt>\n <dd>\n <p>Specifies valid sources to be prefetched or prerendered.</p>\n </dd>\n <dt id=\"script-src\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\"><code>script-src</code></a></dt>\n <dd>\n <p>Specifies valid sources for JavaScript and WebAssembly resources.</p>\n <p><a href=\"#fallbacks\">Fallback</a> for <code>script-src-elem</code> and <code>script-src-attr</code>.</p>\n </dd>\n <dt id=\"script-src-elem\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem\"><code>script-src-elem</code></a></dt>\n <dd>\n <p>Specifies valid sources for JavaScript <a href=\"/en-US/docs/Web/HTML/Element/script\"><code>&lt;script&gt;</code></a> elements.</p>\n </dd>\n <dt id=\"script-src-attr\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr\"><code>script-src-attr</code></a></dt>\n <dd>\n <p>Specifies valid sources for JavaScript inline event handlers.</p>\n </dd>\n <dt id=\"style-src\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src\"><code>style-src</code></a></dt>\n <dd>\n <p>Specifies valid sources for stylesheets.</p>\n <p><a href=\"#fallbacks\">Fallback</a> for <code>style-src-elem</code> and <code>style-src-attr</code>.</p>\n </dd>\n <dt id=\"style-src-elem\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem\"><code>style-src-elem</code></a></dt>\n <dd>\n <p>\n Specifies valid sources for stylesheets <a href=\"/en-US/docs/Web/HTML/Element/style\"><code>&lt;style&gt;</code></a> elements and\n <a href=\"/en-US/docs/Web/HTML/Element/link\"><code>&lt;link&gt;</code></a> elements with <code>rel=\"stylesheet\"</code>.\n </p>\n </dd>\n <dt id=\"style-src-attr\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr\"><code>style-src-attr</code></a></dt>\n <dd>\n <p>Specifies valid sources for inline styles applied to individual DOM elements.</p>\n </dd>\n <dt id=\"worker-src\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src\"><code>worker-src</code></a></dt>\n <dd>\n <p>\n Specifies valid sources for <a href=\"/en-US/docs/Web/API/Worker\"><code>Worker</code></a>, <a href=\"/en-US/docs/Web/API/SharedWorker\"><code>SharedWorker</code></a>, or\n <a href=\"/en-US/docs/Web/API/ServiceWorker\"><code>ServiceWorker</code></a> scripts.\n </p>\n </dd>\n</dl>\n<p>All fetch directives may be specified the single value <code>'none'</code>, indicating that the specific resource type should be completely blocked, or as one or more <em>source expression</em> values, indicating valid sources for that resource type. See <a href=\"#fetch_directive_syntax\">Fetch directive syntax</a> for more details.</p>\n<h4 id=\"fallbacks\">Fallbacks</h4>\n<p>Some fetch directives function as fallbacks for other more granular directives. This means that if the more granular directive is not specified, then the fallback is used to provide a policy for that resource type.</p>\n<ul>\n <li><code>default-src</code> is a fallback for all other fetch directives.</li>\n <li><code>script-src</code> is a fallback for <code>script-src-attr</code> and <code>script-src-elem</code>.</li>\n <li><code>style-src</code> is a fallback for <code>style-src-attr</code> and <code>style-src-elem</code>.</li>\n <li><code>child-src</code> is a fallback for <code>frame-src</code> and <code>worker-src</code>.</li>\n</ul>\n<p>For example:</p>\n<ul>\n <li>If <code>img-src</code> is omitted but <code>default-src</code> is included, then the policy defined by <code>default-src</code> will be applied to images.</li>\n <li>If <code>script-src-elem</code> is omitted but <code>script-src</code> is included, then the policy defined by <code>script-src</code> will be applied to <code>&lt;script&gt;</code> elements.</li>\n <li>If <code>script-src-elem</code> and <code>script-src</code> are both omitted, but <code>default-src</code> is included, then the policy defined by <code>default-src</code> will be applied to <code>&lt;script&gt;</code> elements.</li>\n</ul>"}},{"type":"prose","value":{"id":"document_directives","title":"Document directives","isH3":true,"content":"<p>\n Document directives govern the properties of a document or <a href=\"/en-US/docs/Web/API/Web_Workers_API\">worker</a> environment to which a policy\n applies.\n</p>\n<dl>\n <dt id=\"base-uri\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri\"><code>base-uri</code></a></dt>\n <dd>\n <p>\n Restricts the URLs which can be used in a document's <a href=\"/en-US/docs/Web/HTML/Element/base\"><code>&lt;base&gt;</code></a>\n element.\n </p>\n </dd>\n <dt id=\"sandbox\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox\"><code>sandbox</code></a></dt>\n <dd>\n <p>\n Enables a sandbox for the requested resource similar to the\n <a href=\"/en-US/docs/Web/HTML/Element/iframe\"><code>&lt;iframe&gt;</code></a> <a href=\"/en-US/docs/Web/HTML/Element/iframe#sandbox\"><code>sandbox</code></a> attribute.\n </p>\n </dd>\n</dl>"}},{"type":"prose","value":{"id":"navigation_directives","title":"Navigation directives","isH3":true,"content":"<p>\n Navigation directives govern to which locations a user can navigate or submit a form,\n for example.\n</p>\n<dl>\n <dt id=\"form-action\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action\"><code>form-action</code></a></dt>\n <dd>\n <p>\n Restricts the URLs which can be used as the target of a form submissions from a\n given context.\n </p>\n </dd>\n <dt id=\"frame-ancestors\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors\"><code>frame-ancestors</code></a></dt>\n <dd>\n <p>\n Specifies valid parents that may embed a page using <a href=\"/en-US/docs/Web/HTML/Element/frame\"><code>&lt;frame&gt;</code></a>,\n <a href=\"/en-US/docs/Web/HTML/Element/iframe\"><code>&lt;iframe&gt;</code></a>, <a href=\"/en-US/docs/Web/HTML/Element/object\"><code>&lt;object&gt;</code></a>, or <a href=\"/en-US/docs/Web/HTML/Element/embed\"><code>&lt;embed&gt;</code></a>.\n </p>\n </dd>\n</dl>"}},{"type":"prose","value":{"id":"reporting_directives","title":"Reporting directives","isH3":true,"content":"<p>Reporting directives control the destination URL for CSP violation reports in <code>Content-Security-Policy</code> and <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only\"><code>Content-Security-Policy-Report-Only</code></a>.</p>\n<dl>\n <dt id=\"report-to\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to\"><code>report-to</code></a></dt>\n <dd>\n <p>\n Provides the browser with a token identifying the reporting endpoint or group of endpoints to send CSP violation information to.\n The endpoints that the token represents are provided through other HTTP headers, such as <a href=\"/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints\"><code>Reporting-Endpoints</code></a> and <a href=\"/en-US/docs/Web/HTTP/Headers/Report-To\"><code>Report-To</code></a> <abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr>.\n </p>\n <div class=\"notecard warning\">\n <p>\n <strong>Warning:</strong> This directive is intended to replace <a href=\"#report-uri\"><code>report-uri</code></a>; in browsers that support <code>report-to</code>, the <code>report-uri</code> directive is ignored.\n However until <code>report-to</code> is broadly supported you should specify both headers as shown (where <code>endpoint_name</code> is the name of a separately provided endpoint):\n </p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Content-Security-Policy: …; report-uri https://endpoint.example.com; report-to endpoint_name\n</code></pre></div>\n </div>\n </dd>\n</dl>"}},{"type":"prose","value":{"id":"other_directives","title":"Other directives","isH3":true,"content":"<dl>\n <dt id=\"require-trusted-types-for\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for\"><code>require-trusted-types-for</code></a> <abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></dt>\n <dd>\n <p>Enforces <a href=\"/en-US/docs/Web/API/Trusted_Types_API\">Trusted Types</a> at the DOM XSS injection sinks.</p>\n </dd>\n <dt id=\"trusted-types\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types\"><code>trusted-types</code></a> <abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n <span class=\"visually-hidden\">Experimental</span>\n</abbr></dt>\n <dd>\n <p>\n Used to specify an allowlist of <a href=\"/en-US/docs/Web/API/Trusted_Types_API\">Trusted Types</a> policies.\n Trusted Types allows applications to lock down DOM XSS injection sinks to only accept non-spoofable, typed values in place of strings.\n </p>\n </dd>\n <dt id=\"upgrade-insecure-requests\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests\"><code>upgrade-insecure-requests</code></a></dt>\n <dd>\n <p>\n Instructs user agents to treat all of a site's insecure URLs (those served over\n HTTP) as though they have been replaced with secure URLs (those served over HTTPS).\n This directive is intended for websites with large numbers of insecure legacy URLs\n that need to be rewritten.\n </p>\n </dd>\n</dl>"}},{"type":"prose","value":{"id":"deprecated_directives","title":"Deprecated directives","isH3":true,"content":"<dl>\n <dt id=\"block-all-mixed-content\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content\"><code>block-all-mixed-content</code></a> <abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></dt>\n <dd>\n <p>Prevents loading any assets using HTTP when the page is loaded using HTTPS.</p>\n </dd>\n <dt id=\"report-uri\"><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri\"><code>report-uri</code></a> <abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr></dt>\n <dd>\n <p>\n Provides the browser with a URL where CSP violation reports should be sent.\n This has been superseded by the <a href=\"#report-to\"><code>report-to</code></a> directive.\n </p>\n </dd>\n</dl>"}},{"type":"prose","value":{"id":"fetch_directive_syntax","title":"Fetch directive syntax","isH3":false,"content":"<p>All fetch directives may be specified as one of the following:</p>\n<ul>\n <li>the single value <code>'none'</code>, indicating that the specific resource type should be completely blocked</li>\n <li>one or more <em>source expression</em> values, indicating valid sources for that resource type.</li>\n</ul>\n<p>Each source expression takes one of the forms listed below. Note that not all forms are applicable to all fetch directives: see the documentation for each fetch directive to find out which forms are applicable to it.</p>\n<p>The <code>&lt;host-source&gt;</code> and <code>&lt;scheme-source&gt;</code> formats must be unquoted, and all other formats must be enclosed in single quotes.</p>"}},{"type":"prose","value":{"id":"nonce-nonce_value","title":"'nonce-&lt;nonce_value&gt;'","isH3":true,"content":"<p>This value consists of the string <code>nonce-</code> followed by a <a href=\"/en-US/docs/Glossary/Base64\">base64-encoded</a> string. This string is a random value that the server generates for every HTTP response. For example:</p>\n<pre class=\"brush: plain notranslate\">'nonce-416d1177-4d12-4e3b-b7c9-f6c409789fb8'\n</pre>\n<p>The server can then include the same value as the value of the <code>nonce</code> attribute of any <a href=\"/en-US/docs/Web/HTML/Element/script\"><code>&lt;script&gt;</code></a> or <a href=\"/en-US/docs/Web/HTML/Element/style\"><code>&lt;style&gt;</code></a> resources that they intend to load from the document.</p>\n<p>The browser compares the value from the CSP directive against the value in the element attribute, and loads the resource only if they match.</p>\n<p>If a directive contains a nonce and <code>unsafe-inline</code>, then the browser ignores <code>unsafe-inline</code>.</p>\n<p>See <a href=\"/en-US/docs/Web/HTTP/CSP#nonces\">Nonces</a> in the CSP guide for more usage information.</p>\n<div class=\"notecard note\">\n <p><strong>Note:</strong> Nonce source expressions are only applicable to <a href=\"/en-US/docs/Web/HTML/Element/script\"><code>&lt;script&gt;</code></a> and <a href=\"/en-US/docs/Web/HTML/Element/style\"><code>&lt;style&gt;</code></a> elements.</p>\n</div>"}},{"type":"prose","value":{"id":"hash_algorithm-hash_value","title":"'&lt;hash_algorithm&gt;-&lt;hash_value&gt;'","isH3":true,"content":"<p>This value consists of a string identifying a hash algorithm, followed by <code>-</code>, followed by a <a href=\"/en-US/docs/Glossary/Base64\">base64-encoded</a> string representing the hash value.</p>\n<ul>\n <li>The hash algorithm identifier must be one of <code>sha256</code>, <code>sha384</code>, or <code>sha512</code>.</li>\n <li>The hash value is the base64-encoded <a href=\"/en-US/docs/Glossary/Cryptographic_hash_function\">hash</a> of a <code>&lt;script&gt;</code> or <code>&lt;style&gt;</code> resource, calculated using one of the following hash functions: SHA-256, SHA-384, or SHA-512.</li>\n</ul>\n<p>For example:</p>\n<pre class=\"brush: plain notranslate\">'sha256-cd9827ad...'\n</pre>\n<p>When the browser receives the document, it hashes the contents of any <code>&lt;script&gt;</code> and <code>&lt;style&gt;</code> elements, compares the result with any hashes in the CSP directive, and loads the resource only if there is a match.</p>\n<p>If the element loads an external resource (for example, using the <a href=\"/en-US/docs/Web/HTML/Element/script#src\"><code>src</code></a> attribute), then the element must also have the <a href=\"/en-US/docs/Web/HTML/Element/script#integrity\"><code>integrity</code></a> attribute set.</p>\n<p>If a directive contains a hash and <code>unsafe-inline</code>, then the browser ignores <code>unsafe-inline</code>.</p>\n<p>See <a href=\"/en-US/docs/Web/HTTP/CSP#hashes\">Hashes</a> in the CSP guide for more usage information.</p>\n<div class=\"notecard note\">\n <p><strong>Note:</strong> Hash source expressions are only applicable to <a href=\"/en-US/docs/Web/HTML/Element/script\"><code>&lt;script&gt;</code></a> and <a href=\"/en-US/docs/Web/HTML/Element/style\"><code>&lt;style&gt;</code></a> elements.</p>\n</div>"}},{"type":"prose","value":{"id":"host-source","title":"&lt;host-source&gt;","isH3":true,"content":"<p>The <a href=\"/en-US/docs/Web/URI\">URL</a> or IP address of a <a href=\"/en-US/docs/Glossary/Host\">host</a> that is a valid source for the resource.</p>\n<p>The scheme, port number, and path are optional.</p>\n<p>If the scheme is omitted, the scheme of the document's origin is used.</p>\n<p>When matching schemes, secure upgrades are allowed. For example:</p>\n<ul>\n <li><code>http://example.com</code> will also permit resources from <code>https://example.com</code></li>\n <li><code>ws://example.org</code> will also permit resources from <code>wss://example.org</code>.</li>\n</ul>\n<p>Wildcards (<code>'*'</code>) can be used for subdomains, host address, and port number, indicating that all legal values of each are valid. For example:</p>\n<ul>\n <li><code>http://*.example.com</code> permits resources from any subdomain of <code>example.com</code>, over HTTP or HTTPS.</li>\n</ul>\n<p>Paths that end in <code>/</code> match any path they are a prefix of. For example:</p>\n<ul>\n <li><code>example.com/api/</code> will permit resources from <code>example.com/api/users/new</code>.</li>\n</ul>\n<p>Paths that do not end in <code>/</code> are matched exactly. For example:</p>\n<ul>\n <li><code>https://example.com/file.js</code> permits resources from <code>https://example.com/file.js</code> but not <code>https://example.com/file.js/file2.js</code>.</li>\n</ul>"}},{"type":"prose","value":{"id":"scheme-source","title":"&lt;scheme-source&gt;","isH3":true,"content":"<p>A <a href=\"/en-US/docs/Web/URI/Schemes\">scheme</a>, such as <code>https:</code>. The colon is required.</p>\n<p>Secure upgrades are allowed, so:</p>\n<ul>\n <li><code>http:</code> will also permit resources loaded using HTTPS</li>\n <li><code>ws:</code> will also permit resources loaded using WSS.</li>\n</ul>"}},{"type":"prose","value":{"id":"self","title":"'self'","isH3":true,"content":"<p>Resources of the given type may only be loaded from the same <a href=\"/en-US/docs/Glossary/Origin\">origin</a> as the document.</p>\n<p>Secure upgrades are allowed. For example:</p>\n<ul>\n <li>If the document is served from <code>http://example.com</code>, then a CSP of <code>'self'</code> will also permit resources from <code>https://example.com</code>.</li>\n <li>If the document is served from <code>ws://example.org</code>, then a CSP of <code>'self'</code> will also permit resources from <code>wss://example.org</code>.</li>\n</ul>"}},{"type":"prose","value":{"id":"unsafe-eval","title":"'unsafe-eval'","isH3":true,"content":"<p>By default, if a CSP contains a <code>default-src</code> or a <code>script-src</code> directive, then JavaScript functions which evaluate their arguments as JavaScript are disabled. This includes <a href=\"/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval\"><code>eval()</code></a>, the <a href=\"/en-US/docs/Web/API/Window/setTimeout#code\"><code>code</code></a> argument to <a href=\"/en-US/docs/Web/API/Window/setTimeout\" title=\"setTimeout()\"><code>setTimeout()</code></a>, or the <a href=\"/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function\"><code>Function()</code></a> constructor.</p>\n<p>The <code>unsafe-eval</code> keyword can be used to undo this protection, allowing dynamic evaluation of strings as JavaScript.</p>\n<div class=\"notecard warning\">\n <p><strong>Warning:</strong> Developers should avoid <code>'unsafe-eval'</code>, because it defeats much of the purpose of having a CSP.</p>\n</div>\n<p>See <a href=\"/en-US/docs/Web/HTTP/CSP#eval_and_similar_apis\"><code>eval()</code> and similar APIs</a> in the CSP guide for more usage information.</p>"}},{"type":"prose","value":{"id":"wasm-unsafe-eval","title":"'wasm-unsafe-eval'","isH3":true,"content":"<p>By default, if a CSP contains a <code>default-src</code> or a <code>script-src</code> directive, then a page won't be allowed to compile WebAssembly using functions like <a href=\"/en-US/docs/WebAssembly/JavaScript_interface/compileStreaming_static\"><code>WebAssembly.compileStreaming()</code></a>.</p>\n<p>The <code>wasm-unsafe-eval</code> keyword can be used to undo this protection. This is a much safer alternative to <code>'unsafe-eval'</code>, since it does not enable general evaluation of JavaScript.</p>"}},{"type":"prose","value":{"id":"unsafe-inline","title":"'unsafe-inline'","isH3":true,"content":"<p>By default, if a CSP contains a <code>default-src</code> or a <code>script-src</code> directive, then inline JavaScript is not allowed to execute. This includes:</p>\n<ul>\n <li>inline <code>&lt;script&gt;</code> tags</li>\n <li>inline event handler attributes</li>\n <li><code>javascript:</code> URLs.</li>\n</ul>\n<p>Similarly, if a CSP contains <code>default-src</code> or a <code>style-src</code> directive, then inline CSS will not be loaded, including:</p>\n<ul>\n <li>inline <code>&lt;style&gt;</code> tags</li>\n <li><a href=\"/en-US/docs/Web/API/HTMLElement/style\" title=\"style\"><code>style</code></a> attributes.</li>\n</ul>\n<p>The <code>unsafe-inline</code> keyword can be used to undo this protection, allowing all these forms to be loaded.</p>\n<div class=\"notecard warning\">\n <p><strong>Warning:</strong> Developers should avoid <code>'unsafe-inline'</code>, because it defeats much of the purpose of having a CSP.</p>\n</div>\n<p>See <a href=\"/en-US/docs/Web/HTTP/CSP#inline_javascript\">Inline JavaScript</a> in the CSP guide for more usage information.</p>"}},{"type":"prose","value":{"id":"unsafe-hashes","title":"'unsafe-hashes'","isH3":true,"content":"<p>By default, if a CSP contains a <code>default-src</code> or a <code>script-src</code> directive, then inline event handler attributes like <code>onclick</code> and inline <code>style</code> attributes are not allowed to execute.</p>\n<p>The <code>'unsafe-hashes'</code> expression allows the browser to use <a href=\"#hash_algorithm-hash_value\">hash expressions</a> for inline event handlers and <code>style</code> attributes. For example, a CSP might contain a directive like this:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>script-src 'unsafe-hashes' 'sha256-cd9827ad...'\n</code></pre></div>\n<p>If the hash value matches the hash of an inline event handler attribute value or of a <code>style</code> attribute value, then the code will be allowed to execute.</p>\n<div class=\"notecard warning\">\n <p><strong>Warning:</strong> The <code>'unsafe-hashes'</code> value is unsafe.</p>\n <p>In particular, it enables an attack in which the content of the inline event handler attribute is injected into the document as an inline <code>&lt;script&gt;</code> element. Suppose the inline event handler is:</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">html</span></div><pre class=\"brush: html notranslate\"><code>&lt;button onclick=\"transferAllMyMoney()\"&gt;Transfer all my money&lt;/button&gt;\n</code></pre></div>\n <p>If an attacker can inject an inline <code>&lt;script&gt;</code> element containing this code, the CSP will allow it to execute automatically.</p>\n <p>However, <code>'unsafe-hashes'</code> is much safer than <code>'unsafe-inline'</code>.</p>\n</div>"}},{"type":"prose","value":{"id":"inline-speculation-rules","title":"'inline-speculation-rules'","isH3":true,"content":"<p>By default, if a CSP contains a <code>default-src</code> or a <code>script-src</code> directive, then inline JavaScript is not allowed to execute. The <code>'inline-speculation-rules'</code> allows the browser to load inline <code>&lt;script&gt;</code> elements that have a <a href=\"/en-US/docs/Web/HTML/Element/script/type\"><code>type</code></a> attribute of <a href=\"/en-US/docs/Web/HTML/Element/script/type/speculationrules\"><code>speculationrules</code></a>.</p>\n<p>See the <a href=\"/en-US/docs/Web/API/Speculation_Rules_API\">Speculation Rules API</a> for more information.</p>"}},{"type":"prose","value":{"id":"strict-dynamic","title":"'strict-dynamic'","isH3":true,"content":"<p>The <code>'strict-dynamic'</code> keyword makes the trust conferred on a script by a <a href=\"#nonce-nonce_value\">nonce</a> or a <a href=\"#hash_algorithm-hash_value\">hash</a> extend to scripts that this script dynamically loads, for example by creating new <code>&lt;script&gt;</code> tags using <a href=\"/en-US/docs/Web/API/Document/createElement\"><code>Document.createElement()</code></a> and then inserting them into the document using <a href=\"/en-US/docs/Web/API/Node/appendChild\"><code>Node.appendChild()</code></a>.</p>\n<p>If this keyword is present in a directive, then the following source expression values are all ignored:</p>\n<ul>\n <li><a href=\"#host-source\">&lt;host-source&gt;</a></li>\n <li><a href=\"#scheme-source\">&lt;scheme-source&gt;</a></li>\n <li><a href=\"#self\"><code>'self'</code></a></li>\n <li><a href=\"#unsafe-inline\"><code>'unsafe-inline'</code></a></li>\n</ul>\n<p>See <a href=\"/en-US/docs/Web/HTTP/CSP#the_strict-dynamic_keyword\">The <code>strict-dynamic</code> keyword</a> in the CSP guide for more usage information.</p>"}},{"type":"prose","value":{"id":"report-sample","title":"'report-sample'","isH3":true,"content":"<p>If this expression is included in a directive controlling scripts or styles, and the directive causes the browser to block any inline scripts, inline styles, or event handler attributes, then the <a href=\"/en-US/docs/Web/HTTP/CSP#violation_reporting\">violation report</a> that the browser generates will contain a <a href=\"/en-US/docs/Web/API/CSPViolationReportBody/sample\" title=\"sample\"><code>sample</code></a> property containing the first 40 characters of the blocked resource.</p>"}},{"type":"prose","value":{"id":"csp_in_workers","title":"CSP in workers","isH3":false,"content":"<p>\n <a href=\"/en-US/docs/Web/API/Worker\">Workers</a> are in general <em>not</em> governed\n by the content security policy of the document (or parent worker) that created them. To\n specify a content security policy for the worker, set a\n <code>Content-Security-Policy</code> response header for the request which requested the\n worker script itself.\n</p>\n<p>\n The exception to this is if the worker script's origin is a globally unique identifier\n (for example, if its URL has a scheme of data or blob). In this case, the worker does\n inherit the content security policy of the document or worker that created it.\n</p>"}},{"type":"prose","value":{"id":"multiple_content_security_policies","title":"Multiple content security policies","isH3":false,"content":"<p>\n The CSP mechanism allows multiple policies being specified for a resource, including\n via the <code>Content-Security-Policy</code> header, the\n <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only\"><code>Content-Security-Policy-Report-Only</code></a> header and a\n <a href=\"/en-US/docs/Web/HTML/Element/meta\"><code>&lt;meta&gt;</code></a> element.\n</p>\n<p>\n You can use the <code>Content-Security-Policy</code> header more than once, as in the\n example below. Pay special attention to the <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src\"><code>connect-src</code></a> directive here. Even\n though the second policy would allow the connection, the first policy contains\n <code>connect-src 'none'</code>. Adding additional policies <em>can only further\nrestrict</em> the capabilities of the protected resource, which means that there will\n be no connection allowed and, as the strictest policy, <code>connect-src 'none'</code>\n is enforced.\n</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Content-Security-Policy: default-src 'self' http://example.com;\n connect-src 'none';\nContent-Security-Policy: connect-src http://example.com/;\n script-src http://example.com/\n</code></pre></div>"}},{"type":"prose","value":{"id":"examples","title":"Examples","isH3":false,"content":""}},{"type":"prose","value":{"id":"disable_unsafe_inline_code_and_only_allow_https_resources","title":"Disable unsafe inline code and only allow HTTPS resources","isH3":true,"content":"<p>\n This HTTP header sets the default policy to only allow resource loading (images, fonts, scripts, etc.) over HTTPS.\n Because the <code>unsafe-inline</code> and <code>unsafe-eval</code> directives are not set, inline scripts will be blocked.\n</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Content-Security-Policy: default-src https:\n</code></pre></div>\n<p>The same restrictions can be applied using the HTML <a href=\"/en-US/docs/Web/HTML/Element/meta\"><code>&lt;meta&gt;</code></a> element.</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">html</span></div><pre class=\"brush: html notranslate\"><code>&lt;meta http-equiv=\"Content-Security-Policy\" content=\"default-src https:\" /&gt;\n</code></pre></div>"}},{"type":"prose","value":{"id":"allow_inline_code_and_https_resources_but_disable_plugins","title":"Allow inline code and HTTPS resources, but disable plugins","isH3":true,"content":"<p>This policy could be used on a pre-existing site that uses too much inline code to fix, to ensure resources are loaded only over HTTPS and disable plugins:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'\n</code></pre></div>"}},{"type":"prose","value":{"id":"report_but_dont_enforce_violations_when_testing","title":"Report but don't enforce violations when testing","isH3":true,"content":"<p>\n This example sets the same restrictions as the previous example, but using the <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only\"><code>Content-Security-Policy-Report-Only</code></a> header and the <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to\"><code>report-to</code></a> directive.\n This approach is used during testing to report violations but not block code from executing.\n</p>\n<p>Endpoints (URLs) to send reports to are defined using the <a href=\"/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints\"><code>Reporting-Endpoints</code></a> HTTP response header.</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Reporting-Endpoints: csp-endpoint=\"https://example.com/csp-reports\"\n</code></pre></div>\n<p>A particular endpoint is then selected as the report target in the CSP policy using the <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to\"><code>report-to</code></a> directive.</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-url/; report-to csp-endpoint\n</code></pre></div>\n<p>Note that the <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri\"><code>report-uri</code></a> <abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n <span class=\"visually-hidden\">Deprecated</span>\n</abbr> directive is also specified above because <code>report-to</code> is not yet broadly supported by browsers.</p>\n<p>See <a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/CSP\">Content Security Policy (CSP) implementation</a> for more examples.</p>"}},{"type":"specifications","value":{"title":"Specifications","id":"specifications","isH3":false,"specifications":[{"bcdSpecificationURL":"https://w3c.github.io/webappsec-csp/#csp-header","title":"Content Security Policy Level 3"}],"query":"http.headers.Content-Security-Policy"}},{"type":"browser_compatibility","value":{"title":"Browser compatibility","id":"browser_compatibility","isH3":false,"query":"http.headers.Content-Security-Policy"}},{"type":"prose","value":{"id":"see_also","title":"See also","isH3":false,"content":"<ul>\n <li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only\"><code>Content-Security-Policy-Report-Only</code></a></li>\n <li><a href=\"/en-US/docs/Web/HTTP/CSP\">Learn about: Content Security Policy</a></li>\n <li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy\">Content Security in WebExtensions</a></li>\n <li><a href=\"https://csp.withgoogle.com/docs/strict-csp.html\" class=\"external\" target=\"_blank\">Adopting a strict policy</a></li>\n <li>\n <a href=\"https://github.com/google/csp-evaluator\" class=\"external\" target=\"_blank\">CSP Evaluator</a> - Evaluate your\n Content Security Policy\n </li>\n</ul>"}}],"toc":[{"text":"Syntax","id":"syntax"},{"text":"Directives","id":"directives"},{"text":"Fetch directive syntax","id":"fetch_directive_syntax"},{"text":"CSP in workers","id":"csp_in_workers"},{"text":"Multiple content security policies","id":"multiple_content_security_policies"},{"text":"Examples","id":"examples"},{"text":"Specifications","id":"specifications"},{"text":"Browser compatibility","id":"browser_compatibility"},{"text":"See also","id":"see_also"}],"summary":"The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints.\n This helps guard against cross-site scripting attacks.","popularity":0.0685,"modified":"2024-11-19T04:36:44.000Z","other_translations":[{"locale":"de","title":"Content-Security-Policy","native":"Deutsch"},{"locale":"es","title":"Content-Security-Policy","native":"Español"},{"locale":"fr","title":"Politique de sécurité de contenu","native":"Français"},{"locale":"ja","title":"Content-Security-Policy","native":"日本語"},{"locale":"pt-BR","title":"Content-Security-Policy","native":"Português (do Brasil)"},{"locale":"zh-CN","title":"Content-Security-Policy","native":"中文 (简体)"}],"pageType":"http-header","source":{"folder":"en-us/web/http/headers/content-security-policy","github_url":"https://github.com/mdn/content/blob/main/files/en-us/web/http/headers/content-security-policy/index.md","last_commit_url":"https://github.com/mdn/content/commit/6368e2b112a343fa00ae1a8cf51ceb0b0b845834","filename":"index.md"},"short_title":"Content-Security-Policy","parents":[{"uri":"/en-US/docs/Web","title":"References"},{"uri":"/en-US/docs/Web/HTTP","title":"HTTP"},{"uri":"/en-US/docs/Web/HTTP/Headers","title":"Headers"},{"uri":"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy","title":"Content-Security-Policy"}],"pageTitle":"Content-Security-Policy - HTTP | MDN","noIndexing":false}}</script></body></html>

Pages: 1 2 3 4 5 6 7 8 9 10