default-srcdefault-src defines the fallback policy applied when a more specific fetch directive is not present. Most resource-loading directives — script-src, style-src, img-src, font-src, connect-src and others — inherit this value when omitted. It effectively sets the baseline for the entire policy.
Its value is a list of source expressions: 'self' (the current origin), 'none' (block everything), host sources (https://cdn.example.com), scheme sources (https:, data:, blob:), and — meaningful only for script/style families — 'unsafe-inline', 'unsafe-eval', 'nonce-...', 'sha256-...', and 'strict-dynamic'. Setting default-src 'self' forces all resources to load from the same origin, while any directive you specify explicitly overrides default-src for that resource type.
In practice, teams lay down a safe baseline of default-src 'self' and then open exceptions for specific resource types via individual directives (a whitelist pattern). Crucially, default-src does not cover everything: base-uri, form-action, frame-ancestors, sandbox, and report-uri/report-to do NOT fall back to default-src, so they must be declared separately.
Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'self'