← Lessons

quiz vs the machine

Platinum1820

System Design

The Content Security Policy at Scale

Roll out and maintain CSP across a large app without breaking pages.

6 min read · advanced · beat Platinum to climb

What CSP does

A content security policy tells the browser which sources of scripts, styles, and other content are trusted. It is a strong defense against cross site scripting.

  • It blocks inline scripts unless explicitly allowed.
  • It restricts where scripts and frames may load from.
  • Violations can be reported so you see what would break.

Rolling out safely

Deploy in report only mode first, collect reports, then enforce once the policy is clean.

Techniques at scale

  • Use a nonce or hash per response so inline scripts can be allowed precisely.
  • Avoid broad allow lists that weaken the policy back toward nothing.
  • Centralize policy generation so every team inherits a safe baseline.

Operational notes

  • Watch the violation report stream for new third party scripts.
  • Version the policy and roll changes gradually behind report only.
  • Beware that one weak directive can undermine the whole policy.

Key idea

CSP at scale means rolling out in report only mode, using nonces instead of broad allow lists, and centralizing the baseline so the policy stays strong everywhere.

Check yourself

Answer to earn rating on the learn ladder.

1. What is the safe way to introduce a strict CSP?

2. Why prefer a nonce over a broad allow list?

3. What risk does one weak directive create?