connect-srcconnect-src controls the endpoints that scripts may open network connections to, covering fetch(), XMLHttpRequest, WebSocket, EventSource (SSE), navigator.sendBeacon, and <a ping>. When omitted it inherits from default-src.
You allowlist API servers (https://api.example.com), WebSocket servers (wss://ws.example.com), and analytics endpoints. This directive is central to exfiltration defense: even if an XSS fires, an attacker must get past connect-src to send stolen data to an arbitrary server, so tightly restricting connection targets sharply limits damage.
In practice, WebSockets require explicit ws://wss:// schemes; be aware that an http(s) allowlist alone may not authorize WebSocket connections. Include analytics sendBeacon targets, SSE streams, and any third-party SDK remote-call domains, or features will break.
Content-Security-Policy: connect-src 'self' https://api.example.com wss://ws.example.com