← back to examples

default-src

Without CSP, injected scripts run freely. A default-src 'self' policy blocks them — click on search to see the difference.

Response header
Content-Security-Policy: (not set)
Search query
Result
( ._.)