CSP
Content Security Policy constants for directive values and special tokens.
Attributes
| Attribute | Type | Description |
|---|---|---|
| HEADER_ENFORCE | string = Content-Security-Policy | The standard HTTP header name used to enforce Content Security Policy restrictions. |
| HEADER_REPORT_ONLY | string = Content-Security-Policy-Report-Only | The HTTP header name used to monitor policy violations without enforcing them. |
| NONE | string = 'none' | The 'none' source expression indicating that no URLs match the directive. |
| REPORT_SAMPLE | string = 'report-sample' | Directive value that instructs the browser to include a sample of the violating code in the violation report. |
| SELF | string = 'self' | The 'self' source expression referring to the origin from which the protected document is being served. |
| STRICT_DYNAMIC | string = 'strict-dynamic' | Directive value that allows scripts to load additional scripts via nonces or hashes while ignoring host-based allowlists. |
| UNSAFE_EVAL | string = 'unsafe-eval' | Directive value that allows the use of eval() and similar code-execution methods. |
| UNSAFE_HASHES | string = 'unsafe-hashes' | Directive value that enables the use of hashes for inline event handlers. |
| UNSAFE_INLINE | string = 'unsafe-inline' | Directive value that allows the use of inline resources like inline scripts or styles. |
| WASM_UNSAFE_EVAL | string = 'wasm-unsafe-eval' | Directive value that allows the execution of WebAssembly modules. |
| NONCE | string = < CSP_NONCE_SENTINEL > | Special placeholder token that gets replaced by the middleware with a unique, per-request cryptographic nonce. |