Cloudflare Docs
Page Shield
Visit Page Shield on GitHub
Set theme to dark (⇧+D)

CSP directives supported by policies

Page Shield monitors scripts loaded on your website and the connections they make. Monitored resources are displayed in the Monitors dashboard.

Page Shield policies support most Content Security Policy (CSP) directives, covering both monitored and unmonitored resources. You can use a policy to control other types of resources besides scripts and their connections, even though Page Shield is not monitoring these resources.

Each CSP directive can contain multiple values, including schemes, hostnames, URIs, and special keywords between single quotes (such as 'none'). Hostname and URI values support a * wildcard for the leftmost subdomain.

The following table lists the supported CSP directives and keywords you can use in Page Shield policies:

DirectiveName in the dashboardSupported keywordsMonitored
script-srcScripts'none'
'self'
'unsafe-inline'
'unsafe-eval'
Yes
connect-srcConnections'none'
'self'
'unsafe-inline'
'unsafe-eval'
Yes
default-srcDefault'none'
'self'
'unsafe-inline'
'unsafe-eval'
No
img-srcImages'none'
'self'
'unsafe-inline'
'unsafe-eval'
No
style-srcStyles'none'
'self'
'unsafe-inline'
'unsafe-eval'
No
font-srcFonts'none'
'self'
'unsafe-inline'
'unsafe-eval'
No
object-srcObjects'none'
'self'
'unsafe-inline'
'unsafe-eval'
No
media-srcMedia'none'
'self'
'unsafe-inline'
'unsafe-eval'
No
child-srcChild'none'
'self'
'unsafe-inline'
'unsafe-eval'
No
form-actionForm actions'none'
'self'
'unsafe-inline'
'unsafe-eval'
No
worker-srcWorkers'none'
'self'
'unsafe-inline'
'unsafe-eval'
No
base-uriBase URI'none'
'self'
'unsafe-inline'
'unsafe-eval'
No
manifest-srcManifests'none'
'self'
'unsafe-inline'
'unsafe-eval'
No
frame-srcFrames'none'
'self'
'unsafe-inline'
'unsafe-eval'
No
frame-ancestorsFrame ancestors'none'
'self'
No
upgrade-insecure-requestsUpgrade insecure requestsN/ANo

​​ More resources

For more information on CSP directives and their values, refer to the following resources in the MDN documentation: