CSP Examples
Interactive demos showing how Content Security Policy controls which scripts can run.
-
→default-srcThe simplest CSP policy. See how
default-src 'self'blocks injected inline scripts. -
→script-src originTrust scripts by origin URL. Any script loaded from a listed domain runs without a nonce or hash.
-
→script-src nonceA per-request random token in the header and script tag lets one specific inline script run.
-
→script-src hashA cryptographic hash of the script content. Only scripts whose content matches the hash are allowed.
-
→script-src strict-dynamicLets a trusted script inject further scripts, so third-party scripts work without allowlisting domains.
-
→script-src-elem / script-src-attrSplit script rules by category. Allow inline event handlers while keeping
<script>blocks protected by nonces.