Explain
Content Security Policy (CSP)
CSP reduces XSS risk by controlling which sources can load scripts, styles, images, and more.
InfoCategory: headers
What it is
CSP is a powerful allowlist policy. It helps prevent injected scripts from running by restricting where resources can be loaded from.
Why it matters
- Strong defense against XSS and injection attacks.
- Controls external third-party script loading.
- Can be rolled out safely via Report-Only mode first.
Common pitfalls
- Overly permissive policies like 'unsafe-inline' everywhere.
- Breaking sites by blocking required script/style sources.
- Forgetting to allow essential endpoints (fonts, analytics, etc.).
Related guides