← Lessons

quiz vs the machine

Gold1500

Frontend

Content Security Policy

An allowlist header that blocks injected scripts and resources.

5 min read · core · beat Gold to climb

The threat

In a cross site scripting attack, an attacker injects script into your page. A Content Security Policy (CSP) limits the damage by declaring which sources the browser may load and execute.

How it works

The server sends a Content Security Policy header listing directives. The browser enforces them, refusing anything outside the allowlist.

  • script src controls where scripts may come from.
  • style src controls stylesheet sources.
  • default src is the fallback for unlisted resource types.

Inline scripts

A strict policy forbids inline scripts, which are a common injection vector. To allow trusted inline code you attach a per request nonce or a hash, so only your known snippets run.

Rolling it out

Start in report only mode, which logs violations without blocking, so you can find legitimate sources before enforcing. Then tighten the policy and remove unsafe allowances.

Key idea

A Content Security Policy allowlists resource sources to block injected scripts, using nonces for trusted inline code and report only mode for safe rollout.

Check yourself

Answer to earn rating on the learn ladder.

1. What attack does a CSP primarily mitigate?

2. How can a strict CSP allow a trusted inline script?

3. What does report only mode do?