Understanding the CSP Header

3.4.3.5 Understanding the CSP Header

A CSP header is structured into directives that specify which sources are allowed for different types of resources.

A Content Security Policy (CSP) header consists of the following:

default-src 'self' - This directive restricts all default resource loading (scripts, styles, fonts, etc.) to the same origin as your application.
#APEX_CSP_NONCE# - APEX dynamically replaces this placeholder with a cryptographically secure nonce for each request. This allows inline scripts that include this nonce to execute, while blocking others.
'unsafe-hashes' #APEX_CSP_HASHES# - Allows the use of specific inline scripts or styles that have been hashed and approved by APEX. Refers to the hashed value which corresponds to display:none;.
object-src 'none' - Disallows the use of <object>, <embed>, and <applet> elements, which are commonly exploited.
img-src 'self' data: - Allows images from the same origin and inline images encoded in data: URLs.

Parent topic: Configuring Content Security Policy (CSP)