contentSecurityPolicy
Default
Additionally, if isDev
is set to true
:
Description
contentSecurityPolicy
controls the Content-Security-Policy
header. It takes an object, in which each key is a CSP directive and the value of that key is an array of sources. For example:
Note that 'self'
is in quotes. This is a CSP thing and next-safe
does not handle it for you. The special sources (such as 'self'
, 'none'
, etc) must be wrapped in single quotes.
Examples
Allow all sources from this website by default
Restrict the URIs that can be used in the <base>
element
<base>
elementForce the browser to use https://
for all http://
links
https://
for all http://
linksDisable the prefetch-src
directive
prefetch-src
directiveDisable CSP entirely (NOT recommended)
contentSecurityPolicy.mergeDefaultDirectives
contentSecurityPolicy.mergeDefaultDirectives
Setting contentSecurityPolicy.mergeDefaultDirectives
to true
will retain the default directive values supplied by next-safe
and merge them with any additional directives that are added in the configuration. Duplicate values in any directives will be removed. Setting any directive as false
will disable the directive as usual.
contentSecurityPolicy.reportOnly
contentSecurityPolicy.reportOnly
Setting contentSecurityPolicy.reportOnly
to true
will rename the Content-Security-Policy
header to Content-Security-Policy-Report-Only
. This is useful if you want to test your CSP without breaking your site. Make sure to also set up an endpoint to receive the reports, then set your contentSecurityPolicy.report-to
field to point to that endpoint.
Last updated