Content Security Policy

Per CSP Level 3 (W3C WD)

Strict CSP header with nonces instead of unsafe-inline, aligned with BSI IT-Grundschutz.

What is this, and when do I need it?

What is this?

Content Security Policy (CSP, level 3) is an HTTP response header that tells the browser which sources it may load scripts, images, fonts, iframes etc. from. Anything not on the list is blocked.

This stops Cross-Site Scripting (XSS) and the injection of foreign scripts via compromised third parties - today's most common attack class against web apps.

Important: the header belongs in the server config (Nginx, Apache, Caddy, IIS) - not as a <meta> tag in HTML, where it is partially ignored and less strict.

When do I need it?

For every self-hosted web app with user login, forms, or embedded third-party scripts (analytics, maps, embeds). For purely static marketing pages without input fields the value is small, but it is best practice for BSI IT-Grundschutz compliance.

Rollout: first test with Content-Security-Policy-Report-Only plus a report endpoint, then after 2-4 weeks without violations switch to enforcing.

CSP terminology
A directive lists allowed sources. Values: 'self' = same origin, 'none' = nothing, 'unsafe-inline'/'unsafe-eval' = disables the CSP, https://cdn.example.com = only this host origin, data: = data URLs, 'sha256-…' = specific inline hash. Separate multiple values with spaces.
HTTP header per CSP Level 3 (W3C WD)
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{NONCE}' 'strict-dynamic'; style-src 'self' 'nonce-{NONCE}'; img-src 'self' data:; connect-src 'self'; font-src 'self'; frame-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'none'; object-src 'none'; manifest-src 'self'; worker-src 'self'; media-src 'self'; upgrade-insecure-requests

Kostenlos, ohne Gewähr (Best-Effort). Erzeugte wie geprüfte Angaben sind unverbindlich; für fehlerhafte oder unvollständige Ergebnisse und Konfigurationen übernehmen wir keine Haftung. Anwendung und Prüfung erfolgen in eigener Verantwortung, vor dem Produktiveinsatz bitte testen.

Free, no warranty (best effort). Generated and inspected values are non-binding; we accept no liability for erroneous or incomplete results or configurations. Use and verification are your own responsibility; please test before production use.

Header value only per CSP Level 3 (W3C WD)
default-src 'self'; script-src 'self' 'nonce-{NONCE}' 'strict-dynamic'; style-src 'self' 'nonce-{NONCE}'; img-src 'self' data:; connect-src 'self'; font-src 'self'; frame-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'none'; object-src 'none'; manifest-src 'self'; worker-src 'self'; media-src 'self'; upgrade-insecure-requests

Kostenlos, ohne Gewähr (Best-Effort). Erzeugte wie geprüfte Angaben sind unverbindlich; für fehlerhafte oder unvollständige Ergebnisse und Konfigurationen übernehmen wir keine Haftung. Anwendung und Prüfung erfolgen in eigener Verantwortung, vor dem Produktiveinsatz bitte testen.

Free, no warranty (best effort). Generated and inspected values are non-binding; we accept no liability for erroneous or incomplete results or configurations. Use and verification are your own responsibility; please test before production use.

{NONCE} is a placeholder your server must replace per request with a freshly generated, cryptographically random value (at least 128 bits of entropy, base64-encoded). The same value must appear as the nonce="..." attribute on every inline script the page ships.

report-to is the modern variant of CSP reporting. It requires the accompanying HTTP response header Reporting-Endpoints: default="https://example.com/csp-report". Without that header the browser shows violations in the console but does not send reports. report-uri is deprecated but still read by every current browser and is the only reporting mechanism Firefox currently supports - set both in parallel.

Note BSI APP.3.1: a strict CSP is a defense-in-depth measure - it sits alongside output encoding, HttpOnly cookies and SameSite attributes in the layered defenses against XSS and clickjacking. A nonce-based strict CSP per Google's pattern requires 'strict-dynamic', otherwise dynamically inserted scripts get blocked.

Inspect security headers of a URL

Fetches the URL and checks CSP plus the usual web security headers (HSTS, X-Content-Type-Options, Permissions-Policy, etc.).

Try with:

Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.