Security & TLS

CSP — Content Security Policy

HTTP header that restricts which sources a page can load — protection against XSS attacks.

What is CSP

CSP (Content Security Policy) is an HTTP response header that tells the browser which sources your page is allowed to load: scripts, styles, images, fonts, frames, etc. It is the most powerful browser-level defense against XSS (cross-site scripting) and data exfiltration.

Without CSP, an XSS vulnerability can load malicious JavaScript from any domain on the internet. With CSP, even if the vulnerability is exploited, the browser refuses to execute the code because it does not come from an approved source.

Core Directives

  • default-src — fallback for all resource types
  • script-src — where JavaScript is allowed from
  • style-src — where CSS is allowed from
  • img-src — images
  • connect-src — XHR, fetch, WebSocket
  • font-src — fonts
  • frame-src — iframes
  • report-uri — where to send violation reports

Example CSP Header

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; font-src 'self' https://fonts.gstatic.com; report-uri /csp-report

This means:

  • By default, all assets must come from the same domain
  • Scripts: cdn.example.com is also allowed
  • Images: from anywhere over HTTPS and data URIs
  • CSS: from the same domain and inline styles (not ideal)
  • Fonts: from Google Fonts
  • Violation reports sent to /csp-report

Strict CSP — the Modern Approach

Today a "strict CSP" is recommended, which uses a nonce or hash to approve specific inline scripts instead of an allowlist of domains: 

Content-Security-Policy: script-src 'nonce-r4nd0m' 'strict-dynamic'; object-src 'none'; base-uri 'none';

Every inline <script> tag must carry nonce="r4nd0m" (freshly generated per request). Attackers cannot guess the nonce, so injected scripts are blocked.

Gradual Roll-out

  1. Start with Content-Security-Policy-Report-Only — reports only, nothing is blocked.
  2. Collect reports and see what "would have broken".
  3. Fix legitimate sources that are missing.
  4. After 1–2 weeks, switch to the full Content-Security-Policy.

Related terms

HSTS — HTTP Strict Transport Security

Related guides

What Are HTTP Security Headers and How to Configure Them
All terms