Content Security Policy header design for modern web apps

4934 views

                  add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-$request_id'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://api.example.com; frame-ancestors 'none'; base-uri 'self'; object-src 'none'" always;

CSP design is about reducing script execution freedom without breaking the app. I prefer nonces over unsafe-inline, keep the allowed source list tight, and roll policies out in report-only mode first. That gives teams a workable path from permissive front-end habits to something meaningfully safer.

Kai Nakamura

More from Kai Nakamura

Content Security Policy header design for modern web apps

0 Comments

More from Kai Nakamura