What CSP Is
A Content Security Policy is an HTTP response header that tells the browser which sources of scripts, styles, images, and other content are allowed to load and run. It acts as a strong second layer of defense, so even if untrusted markup slips through, the browser refuses to execute disallowed script.
Key Directives
- script src restricts where executable scripts may come from.
- default src sets a fallback for resource types you do not list explicitly.
- object src none disables risky plugins, and frame ancestors controls who may embed your page.
Making It Effective
- Avoid unsafe inline by moving scripts to files or using a per response nonce so only trusted inline blocks run.
- Start in report only mode to collect violations without breaking the site, then enforce.
- Keep the policy strict and specific rather than allowing broad wildcards.
Key idea
A strict Content Security Policy turns the browser into an allowlist enforcer, sharply limiting the impact of injected content when other defenses fail.