ContentSecurityPolicy

Fluent builder for the Content-Security-Policy HTTP response header.

Usage

Source

ContentSecurityPolicy()

Default header value: default-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'; form-action 'self'

Notes

* The structured helpers intentionally avoid full CSP validation; use .value(...) when you need to emit an exact policy string. * Multiple policies can be sent by instantiating another ContentSecurityPolicy and adding it to Secure.headers_list. * MDN describes fallback behavior between directives (e.g., default-src acts as a fallback for fetch directives).

Resources: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP - https://owasp.org/www-project-secure-headers/#content-security-policy

Parameter Attributes

header_name: str

_directives: dict[str, list[str] | None] = dict()


_raw_value: str | None = None