connect-src
Content-Security-Policy Fetch

Overview

connect-src controls the endpoints that scripts may open network connections to, covering fetch(), XMLHttpRequest, WebSocket, EventSource (SSE), navigator.sendBeacon, and <a ping>. When omitted it inherits from default-src.

Details

You allowlist API servers (https://api.example.com), WebSocket servers (wss://ws.example.com), and analytics endpoints. This directive is central to exfiltration defense: even if an XSS fires, an attacker must get past connect-src to send stolen data to an arbitrary server, so tightly restricting connection targets sharply limits damage.

In practice, WebSockets require explicit ws://wss:// schemes; be aware that an http(s) allowlist alone may not authorize WebSocket connections. Include analytics sendBeacon targets, SSE streams, and any third-party SDK remote-call domains, or features will break.

Syntax

Content-Security-Policy: connect-src 'self' https://api.example.com wss://ws.example.com

Notes

Related directives