| FIELD | DESCRIPTION | TYPE | DEFAULT VALUE(S) | ALLOWED VALUE(S) |
|---|---|---|---|---|
| enabled | whether this part of the policy will be enforced | Boolean | true | true, false |
| compensatingControl | whether there’s another mechanism to handle this (elsewhere) in the stack | Boolean | false | true, false |
| config | header settings | |||
| csp | content security policy settings | |||
| directives | csp directives | |||
| default-src | default sources | String Array | [“‘self’”] | String Array => “self”, “none”, “all” OR comma-separated list of sources |
| media-src | media sources | String Array | [“‘self’”] | String Array => “self”, “none”, “all” OR comma-separated list of sources |
| base-uri | uris that a user agent may use as the document’s base URL | String Array | [“‘self’”] | String Array => “self”, “none”, “all” OR comma-separated list of sources |
| img-src | image sources | String Array | [“‘self’”] | String Array => “self”, “none”, “all” OR comma-separated list of sources |
| font-src | font sources | String Array | [“‘self’”] | String Array => “self”, “none”, “all” OR comma-separated list of sources |
| connect-src | connection sources | String Array | [“‘self’”] | String Array => “self”, “none”, “all” OR comma-separated list of sources |
| object-src | object sources | String Array | [“‘self’”] | String Array => “self”, “none”, “all” OR comma-separated list of sources |
| plugin-types | plugin-types | String Array | [“‘self’”] | String Array => “self”, “none”, “all” OR comma-separated list of sources |
| child-src | child sources | String Array | [“‘self’”] | String Array => “self”, “none”, “all” OR comma-separated list of sources |
| frame-src | specifies valid sources for elements such as <frame> and <iframe>. This directive falls back to child-src if not specified. | String Array | [“‘self’”] | String Array => “self”, “none”, “all” OR comma-separated list of sources |
| frame-ancestors | specifies parents thay may embed a page using elements such as <frame> and <iframe>. It replaces the X-Frame-Options header. | String Array | [“‘self’”] | String Array => “self”, “none”, “all” OR comma-separated list of sources |
| manifest-src | specifies which manifest can be applied to the resource. This directive falls back to default-src if not specified. | String Array | [“‘self’”] | String Array => “self”, “none”, “all” OR comma-separated list of sources |
| worker-src | specifies valid sources for Worker, SharedWorker or ServiceWorker | String Array | [“‘self’”] | String Array => “self”, “none”, “all” OR comma-separated list of sources |
| script-src | specifies valid sources for JavaScript.** | String Array | [“‘self’”] | String Array => “self”, “none”, “all”, “data” OR comma-separated list of sources |
| style-src | specifies valid sources for stylesheets.*** | String Array | [“‘self’”] | String Array => “self”, “none”, “all”, “data” OR comma-separated list of sources |
| upgradeInsecureRequests | forces a user agent to load all assets over HTTPS, even if the URL specifies HTTP, when the page is loaded using HTTPS | Boolean | true | true, false |
| blockAllMixedContent | prevents a user agent from loading any assets using HTTP when the page is loaded using HTTPS | Boolean | true | true, false |
| requireSriFor | requires the use of SRI for Scripts or Styles on the page. | JSON Object | {“scripts”: true, “styles”: true} | JSON Object where keys => “scripts”, “styles” && values => true OR false |
| sandbox | applies restrictions to a page including the prevention of popups, plugins, scripts and enforcing a same-origin policy | |||
| enable | enables sandbox protection with all restrictions in place. Further values can be specified to disable particular restrictions. | Boolean | true | true, false |
| allow-popups | _allows popups | Boolean | true | true, false |
| allow-top-navigation | Allows content to navigate and close their top-level browsing context. | Boolean | true | true, false |
| allow-same-origin | Allows content to access other content from the same origin. | Boolean | true | true, false |
| allow-forms | Allows form submissions. | Boolean | false | true, false |
| allow-pointer-lock | Enables the Pointer Lock API | Boolean | true | true, false |
| allow-scripts | Allows script execution | Boolean | true | true, false |
| reflectedXSS | configures the built in heuristics a user agent has to filter or block reflected XSS attacks. | |||
| allow | Allows reflected XSS attacks. | Boolean | false | true, false |
| block | _ Block reflected XSS attacks._ | Boolean | true | true, false |
| filter | Filter the reflected XSS attack. | Boolean | false | true, false |
| reportUri | specifies the URI that the user agent will POST a JSON formatted violation report to should the CSP be violated. | |||
| default | _base setting for the report uri | String | “enabled” | “enabled” or “disabled” |
| uriLocation | endpoint where report violations will go | String | ”/cspviolations” | String |
| port | listening port for csp violations | Number(int) | 3030 | Any integer >= 1025 |
| reportOnly | marks the CSP header in report only mode. The user agent will deliver violation reports but not enforce the policy. | Boolean | true i | true, false |
| useNonce | “number used once” to to white list the entire script block regardless of what’s in there | Boolean | false | true, false |
| useHash | browser-calculated hash value so that only the exact script block can run | Boolean | false | true, false |
| mimeSettings | identification of document formats | |||
| mimeTypes | methods to determine how a document will be processed | String Array | [ “text/html”, “application/json”, “image/jpg”, “image/png”, “multipart/form-data”] | String Array, standard mime-types |
| contentEncoding | used to compress the media-type | String Array | [“gzip”] | [“gzip”, “compress”, “deflate”, “identity”, “br] |
| characterEncoding | mapping between bytes and text | String Array | [“utf-8”] | [“us-ascii”, “utf-8”, “utf-16”, “utf-32”] |
| xContentTypeOptions | allows to opt-out of MIME type sniffing | String or null | “nosniff” | “nosniff”, null |
| strictTransportSecurity | web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP | |||
| enabled | turns this header on or off | Boolean | true | true,false |
| includeSubDomains | forces all subdomains to follow HSTS settings of parent | Boolean | true | true,false |
| preload | Google maintains an HSTS preload service. By following the guidelines and successfully submitting your domain, browsers will never connect to your domain using an insecure connection | Boolean | false | true, false |
| maxAge | The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS | Number(int) | 31536000 | Integer >= 0 (0 = never enforce) |
| preventClickJacking | prevent pages from being framed | Boolean | true | true, false |
| referrals | how referrals are treated | |||
| enabled | turn this on or off | Boolean | true | true,false |
| options | referrer options | |||
| noReferer | never send a referrer header | Boolean | true | true, false |
| noOnDowngrade | don’t send a referrer if the scheme goes from HTTPS–> HTTP | Boolean | false | true, false |
| originOnly | _ send the origin of the document as the referrer in all cases._ | Boolean | false | true, false |
| originOnCross | Send a full URL when performing a same-origin request, but only send the origin of the document for other cases. | Boolean | false | true, false |
| unsafeUrl | Send a full URL when performing a same-origin or cross-origin request. | Boolean | false | true, false |
| xssProtection | stops pages from loading when they detect reflected cross-site scripting (XSS) attacks | |||
| enabled | turns this feature on or off | Boolean | true | true, false |
| mode | sets mode=block | Array | [ 1, “block” ] | Array[0] => 0 (Disable XSS filtering), 1 (If a cross-site scripting attack is detected, the browser will sanitize the page.), 1, mode=block (Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.), 1 report= |
| caching | sets cache control headers | |||
| enabled | turns cache-control headers on/off | Boolean | true | true, false |
| compensatingControl | whether there’s another mechanism to handle this (elsewhere) in the stack | Boolean | false | true, false |
| routeOverload | change cache-settings on a per-route basis | Boolean | false | true, false |
| cacheControl | specify directives for caching mechanisms in both requests and responses | String Array | [ “no-cache”, “no-store”, “no-transform”, “must-revalidate”, “max-age=0” ] | [ “no-cache”, “no-store”, “no-transform”, “must-revalidate”, “max-age=0”] (0 = no-cache) |
| pragma | used for backwards compatibility with HTTP/1.0 caches where the Cache-Control HTTP/1.1 header is not yet present. | String | “no-cache” | “no-cache” |
| eTags | identifier for a specific version of a resource | |||
| enabled | turns this header on or off | Boolean | true | true, false |
| strength | ensure byte-for-byte resource equivilency | String | “strong” | “strong”, “weak” |
| vary | determines how to match future request headers to decide whether a cached response can be used rather than requesting a fresh one from the origin server | String Array | [“origin”, “host”,“referer”] | Any generated header |
* Won’t be set if Object Sources isn’t set
** This directive falls back to default-src if not specified. When either script-src or default-src are present the use of inline script and eval() is blocked without the addition of Unsafe Inline and Unsafe Eval respectively.
*** This directive falls back to default-src if not specified. When either style-src or default-src are present the use of inline <style> elements and HTML style attributes are disabled unless you specify Unsafe Inline.
i Run the csp in ‘report only’ mode until you are confident that all of your desired sources are loading correctly