How To Implement Content Security Policy (CSP) Headers For Astro

Content Security Policy (CSP) acts like a shield against XSS attacks. These attacks are sneaky - they trick your browser into running malicious code by hiding it in content that seems trustworthy. CSP's job is to spot these tricks and shut them down, while also alerting you to any attempts it detects.

Trevor I. Lasn Trevor I. Lasn
· 4 min read
Building 0xinsider.com — see who's winning across prediction markets (Polymarket, Kalshi, and more) — and what they're trading right now.

Content Security Policy is like a bouncer for your website. It tells the browser what content is allowed to load and from where. This helps prevent a whole bunch of nasty attacks, like Cross-Site Scripting (XSS) and data injection.

Update: Astro Now Has Native CSP Support

As of Astro 5.9.0, you can enable native CSP support through an experimental feature. This is the recommended approach now instead of the workarounds below.

Here’s the basic setup:

import { defineConfig } from 'astro/config';


export default defineConfig({
  experimental: {
    csp: true
  }
});

Astro automatically generates CSP hashes for your inline scripts and styles. No more 'unsafe-inline' directives.

If you’re using Vercel, Netlify, or Node adapters, enable experimentalStaticHeaders to serve CSP headers properly:

import { defineConfig } from 'astro/config';
import vercel from '@astrojs/vercel';


export default defineConfig({
  experimental: {
    csp: true
  },
  adapter: vercel({
    experimentalStaticHeaders: true
  })
});

You can customize CSP directives in your config:

export default defineConfig({
  experimental: {
    csp: {
      directives: [
        "default-src 'self'",
        "img-src 'self' https://images.cdn.example.com"
      ],
      scriptDirective: {
        resources: ["https://cdn.example.com"],
        strictDynamic: true
      }
    }
  }
});

For per-page CSP customization, use the runtime API in your Astro components:

---
Astro.csp.insertDirective("default-src 'self'");
Astro.csp.insertScriptResource("https://scripts.cdn.example.com");
---

This eliminates the need for vercel.json files or Cloudflare Page Rules. The CSP is now part of Astro’s build process.

Legacy Approaches

The methods below still work but are no longer the recommended way. Use native CSP support instead.

Content Security Policy (CSP) should be implemented as a response header, not a request header. The server sends the CSP directives to the browser as part of its response, and the browser enforces these policies when loading content.

Here’s a basic CSP setup using the old astro.config.mjs approach (development only):

import { defineConfig } from 'astro/config';


export default defineConfig({
  server: {
    headers: {
      "Content-Security-Policy": "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"
    }
  }
});

The default-src 'self' directive only allows resources from the same origin. The script-src and style-src directives allow inline scripts and styles, which Astro uses for hydration.

The Astro CSP Gotcha

Astro has a unique architecture that can trip up CSP. It uses a technique called “partial hydration” where some components are static and others are interactive. This means your CSP needs to be flexible enough to allow for this hybrid approach.

Here’s a more comprehensive CSP for a typical Astro site.

export default defineConfig({
  server: {
    headers: {
      "Content-Security-Policy": `
        default-src 'self';
        script-src 'self' 'unsafe-inline' 'unsafe-eval';
        style-src 'self' 'unsafe-inline';
        img-src 'self' data: https:;
        font-src 'self';
        object-src 'none';
        base-uri 'self';
        form-action 'self';
        frame-ancestors 'none';
        block-all-mixed-content;
        upgrade-insecure-requests;
      `
    }
  }
});

This policy is more permissive but still secure. It allows for Astro’s hydration needs 'unsafe-eval' and common use cases like loading images from HTTPS sources.

Vercel Approach

With Vercel, you can use a vercel.json file in your project root:

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        {
          "key": "Content-Security-Policy",
          "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
        }
      ]
    }
  ]
}

This applies the CSP header to all routes on your Vercel-deployed Astro site. All you have to do with git push to deploy your changes.

Cloudflare Approach

Cloudflare uses Page Rules to add headers. Go to your Cloudflare dashboard, navigate to Rules > Page Rules, and click the ‘Modify Response Headers’ tab. Create a new rule and add a static header to the response with the header name Content-Security-Policy and your CSP string as the value.

Cloudflare Page Rule

The advantage here is you can update your CSP without redeploying your site.

Read Also

Trevor I. Lasn

Building 0xinsider.com — see who's winning across prediction markets (Polymarket, Kalshi, and more) — and what they're trading right now. Product engineer based in Tartu, Estonia, building and shipping for over a decade.

Found this article helpful? You might enjoy my free newsletter. I share dev tips and insights to help you grow your coding skills and advance your tech career.

Related Articles

Check out these related articles that might be useful for you. They cover similar topics and provide additional insights.

Webdev
4 min read

CSS :interest-source and :interest-target Pseudo-Classes

Style connected UI elements with CSS pseudo-classes that respond to user interest. Interactive examples showing tooltips, forms, and navigation without JavaScript.

Nov 12, 2025
Read article
Webdev
3 min read

CVE-2025-29927 - Next.js Middleware Bypass Explained In Simple Terms

The vulnerability skips Next.js middleware security checks by adding a single HTTP header

Apr 6, 2025
Read article
Webdev
3 min read

Preloading Responsive Images

How to properly preload responsive images to improve initial page load

Nov 28, 2024
Read article
Webdev
8 min read

Become a Web Developer in 180 Days

A comprehensive roadmap to becoming a proficient web developer

Oct 29, 2019
Read article
Webdev
12 min read

Robust Data Fetching Architecture For Complex React/Next.js Apps

How I use the 'Three Layers of Data' architecture pattern for React and Next.js apps to avoid common pitfalls, tech debt, and improve performance

May 4, 2025
Read article
Webdev
4 min read

Speed Up Your Website With rel='preconnect' and increase PageSpeed Insights Score

Using link rel='preconnect' can improve your website's performance by reducing connection setup times to key external domains.

Sep 13, 2024
Read article
Webdev
4 min read

Optimize Your Astro Site's <head> with astro-capo

Automatically improve your Astro site's performance using astro-capo

Oct 19, 2024
Read article
Webdev
12 min read

Frontend Security Checklist

Tips for Keeping All Frontend Applications Secure

Jul 30, 2024
Read article
Webdev
4 min read

LH and RLH: The CSS Units That Make Vertical Spacing Easy

Exploring new CSS line-height units that eliminate guesswork from vertical rhythm

Dec 3, 2024
Read article
all articles

This article was originally published on https://www.trevorlasn.com/blog/csp-headers-astro. It was written by a human and polished using grammar tools for clarity.