Home/ Glossary/ strict-dynamic CSP Directive

strict-dynamic CSP Directive (strict-dynamic)

Security Glossary - Security Headers

Definition: The 'strict-dynamic' CSP directive allows scripts loaded by an already trusted script to execute, without needing to explicitly allowlist their origins. When combined with nonces or hashes, strict-dynamic creates a trust chain: scripts with a valid nonce can load additional scripts from any origin, but directly injected scripts without a nonce are still blocked.

Why You Should Care About strict-dynamic

strict-dynamic solves a practical CSP deployment problem. Modern web applications often load scripts that in turn load other scripts dynamically (like analytics, tag managers, or libraries from CDNs). Without strict-dynamic, you would need to allowlist every possible script origin in your CSP, which is fragile and difficult to maintain.

With strict-dynamic, you only need to add nonces to your first-party script tags. Those scripts can then load additional scripts dynamically, and the loaded scripts inherit trust. This makes CSP deployment feasible for complex applications that use module loaders, dynamic imports, or third-party script managers.

When strict-dynamic is present, allowlist-based source expressions like 'self' or specific hostnames are ignored for script loading. Only nonce-based or hash-based trust is used for the initial scripts. This is intentional and creates a stricter, more maintainable policy.

How to Test for strict-dynamic

A security audit evaluates your CSP for strict-dynamic usage. If you are implementing CSP for the first time, consider using script-src 'nonce-{random}' 'strict-dynamic' as your starting point. This provides strong XSS protection while accommodating dynamic script loading.

Run a Security Audit

Questions and Answers

Does strict-dynamic work in all browsers?
strict-dynamic is supported in all modern browsers (Chrome, Firefox, Safari, Edge). Older browsers that do not support it will fall back to the other source expressions in your CSP, so you can include both for backward compatibility.
Can I use strict-dynamic without nonces?
strict-dynamic must be used with either nonces or hashes. Without them, there is no way to establish initial trust. The nonce or hash marks the first-party scripts as trusted, and strict-dynamic extends that trust to scripts they load.

Learn More

Content Security Policy Nonce-Based Content Security Policy Cross-Site Scripting Security Headers Overview frame-ancestors CSP Directive
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.