What does the Content Security Policy (CSP) Directive regex match?

Matches a CSP directive with its source list.

Is the Content Security Policy (CSP) Directive regex ReDoS-safe?

Yes. Manually audited and tested against ReDoS attack strings. Anchors and possessive-style constraints prevent runaway backtracking paths.

Security/Security Headers

Verified Safe

Content Security Policy (CSP) Directive Regex for Java

/^(default-src|script-src|style-src|img-src|connect-src|font-src|object-src|media-src|frame-src|child-src|form-action|frame-ancestors|base-uri|report-uri|report-to|upgrade-insecure-requests|block-all-mixed-content|sandbox|worker-src|manifest-src|prefetch-src)(?:\s+(.+))?$/i

What this pattern does

This page provides a comprehensive, battle-tested regular expression for matching content security policy (csp) directive, ported and verified for Java. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your Java project — whether you're validating in a Spring Boot controller, a Jakarta EE service, or a standalone utility class.

Java Implementation

Java

// Content Security Policy (CSP) Directive
// ReDoS-safe | RegexVault — Security > Security Headers

import java.util.regex.Pattern;

public class ContentSecurityPolicyCspDirectiveValidator {
    private static final Pattern PATTERN =
        Pattern.compile("^(default-src|script-src|style-src|img-src|connect-src|font-src|object-src|media-src|frame-src|child-src|form-action|frame-ancestors|base-uri|report-uri|report-to|upgrade-insecure-requests|block-all-mixed-content|sandbox|worker-src|manifest-src|prefetch-src)(?:\\s+(.+))?$");

    public static boolean validate(String input) {
        return PATTERN.matcher(input).matches();
    }

    // Example
    public static void main(String[] args) {
        System.out.println(validate("default-src 'self'")); // true
    }
}

Test Cases

Matches (Valid)	Rejects (Invalid)
`default-src 'self'`	`evil-src 'self'`
`script-src 'self' https://cdn.example.com 'nonce-abc123'`	`src 'self'`
`object-src 'none'`	—
`upgrade-insecure-requests`	—

When to use this pattern

This pattern is drawn from the Security > Security Headers category and carries a ReDoS-safe certification. That matters for Java developers because critical in Java applications since the JVM regex engine uses backtracking and is susceptible to ReDoS without careful pattern design. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

'unsafe-inline' and 'unsafe-eval' negate much of CSP's protection. Prefer nonce-based CSP where a random nonce is generated per request. The CSP Evaluator tool (from Google) checks CSP policies for weaknesses.

Technical Notes

CSP source keywords: 'self' (same origin), 'none' (block all), 'unsafe-inline' (dangerous), 'unsafe-eval' (dangerous), 'nonce-{base64}' (nonce), 'sha256-{hash}' (hash). A strong CSP eliminates most XSS attack surfaces. object-src 'none' and base-uri 'self' are critical.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern