A Content Security Policy (CSP) is an HTTP response header that allows website owners to control which resources — scripts, stylesheets, images, fonts — the browser is permitted to load. It is one of the most effective defences against Cross-Site Scripting (XSS) attacks.
How CSP Works
The server sends a CSP header that defines allowed sources for each resource type. The browser enforces the policy, blocking anything not explicitly allowed:
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; img-src *; style-src 'self' 'unsafe-inline'Common CSP Directives
default-src— Fallback for all resource types not explicitly set.script-src— Controls JavaScript sources. Disallowing'unsafe-inline'blocks inline scripts.style-src— Controls CSS sources.img-src— Controls image sources.connect-src— Controls fetch, XHR, WebSocket connections.frame-ancestors— Replaces X-Frame-Options; controls which sites can embed the page in an iframe.
CSP and XSS
Even if an attacker successfully injects a script into an HTML page, CSP can prevent it from executing if it doesn't come from an allowed source. A strict CSP policy (no 'unsafe-inline', no 'unsafe-eval') is a powerful XSS mitigation.
CSP Report Mode
Before enforcing, use Content-Security-Policy-Report-Only to monitor violations without blocking anything. This helps tune the policy without breaking the site.
Check your CSP and other security headers with our HTTP Header Checker.