Content-Security-Policy directives cheat sheet
The CSP directives that matter most for security, what each one controls, and safe default values.
Fetch directives and default-src
Fetch directives such as script-src, style-src, img-src and connect-src control where each type of resource may load from. default-src is the fallback for any fetch directive you do not set, so a restrictive default-src like 'self' gives every omitted directive a safe baseline.
Locking down scripts
script-src is the most important directive for stopping XSS. Avoid 'unsafe-inline' and 'unsafe-eval'. Instead allow only your own origin plus a per-response nonce ('nonce-...') or content hash ('sha256-...') so the browser runs only the inline scripts you approve.
Navigation and framing directives
base-uri restricts the <base> tag and should usually be 'none' to block base-tag injection. frame-ancestors controls who may embed your page in a frame and is the modern replacement for X-Frame-Options; set it to 'none' or 'self' to prevent clickjacking.
Reporting before enforcing
Use Content-Security-Policy-Report-Only with report-uri or report-to to collect violations without breaking the page. Once the reports are clean, switch to the enforcing Content-Security-Policy header.