Configure CSP directives and see which attacks are blocked vs allowed
| Directive | What it controls | Recommended value | Without it |
|---|---|---|---|
| default-src | Fallback for all resources | 'self' | All origins allowed |
| script-src | JavaScript sources | 'self' 'nonce-xxx' | Inline scripts run (XSS!) |
| style-src | CSS sources | 'self' 'nonce-xxx' | CSS injection possible |
| img-src | Image sources | 'self' data: https: | Tracking pixels from anywhere |
| connect-src | fetch/XHR destinations | 'self' https://api.example.com | Data exfiltration via fetch |
| frame-ancestors | Who can embed you (clickjacking) | 'none' | Clickjacking attacks work |