Supported CSP directives
Page Shield policies support most Content Security Policy (CSP) directives, covering both monitored and unmonitored resources. You can use a policy to control other types of resources besides scripts and their connections, even though Page Shield is not monitoring these resources.
Each CSP directive can contain multiple values, including:
- Schemes
- Hostnames
- URIs
- Special keywords between single quotes (for example,
'none') - Hashes between single quotes (for example,
'sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC')
Hostname and URI values support a * wildcard for the leftmost subdomain.
The following table lists the supported CSP directives and special values you can use in Page Shield policies:
| Directive | Name in the dashboard | Supported special values | Monitored |
|---|---|---|---|
script-src | Scripts | 'none''self''unsafe-inline''unsafe-eval''<HASH>' | Yes |
connect-src | Connections | 'none''self''unsafe-inline''unsafe-eval''<HASH>' | Yes |
default-src | Default | 'none''self''unsafe-inline''unsafe-eval''<HASH>' | No |
img-src | Images | 'none''self''unsafe-inline''unsafe-eval''<HASH>' | No |
style-src | Styles | 'none''self''unsafe-inline''unsafe-eval''<HASH>' | No |
font-src | Fonts | 'none''self''unsafe-inline''unsafe-eval''<HASH>' | No |
object-src | Objects | 'none''self''unsafe-inline''unsafe-eval''<HASH>' | No |
media-src | Media | 'none''self''unsafe-inline''unsafe-eval''<HASH>' | No |
child-src | Child | 'none''self''unsafe-inline''unsafe-eval''<HASH>' | No |
form-action | Form actions | 'none''self''unsafe-inline''unsafe-eval''<HASH>' | No |
worker-src | Workers | 'none''self''unsafe-inline''unsafe-eval''<HASH>' | No |
base-uri | Base URI | 'none''self''unsafe-inline''unsafe-eval''<HASH>' | No |
manifest-src | Manifests | 'none''self''unsafe-inline''unsafe-eval''<HASH>' | No |
frame-src | Frames | 'none''self''unsafe-inline''unsafe-eval''<HASH>' | No |
frame-ancestors | Frame ancestors | 'none''self' | No |
upgrade-insecure-requests | Upgrade insecure requests | N/A | No |
For more information on CSP directives and their values, refer to the following resources in the MDN documentation:
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark