What it is
Content Security Policy (CSP) is a browser mechanism that allows site owners to declare restrictive rules about the resources a page can load and the scripts it can execute. Delivered via HTTP response headers or <meta> tags, CSP directives whitelist trusted origins for scripts, styles, images, fonts, frames, and network destinations. By default, browsers block anything not explicitly permitted. CSP can also require nonces or hashes for inline scripts, prohibit mixed content, and restrict the use of powerful features like eval. This shifts the security model from blacklisting known bad sources to only trusting content you designate. Crafting an effective CSP requires deep knowledge of an application's asset pipeline and third-party integrations because overly strict directives can break functionality. Many teams adopt a report-only mode first to monitor violations before enforcing blocking mode. Combining CSP with other browser controls such as Subresource Integrity, SameSite cookies, and secure headers results in a resilient defense against cross-site scripting and data exfiltration.
Why it matters
Cross-site scripting is still prevalent and difficult to eliminate entirely at the application layer. CSP offers a compensating control that limits the impact of injection flaws by making it harder for malicious scripts to execute or beacon data to attacker infrastructure.
How to reduce risk
- Inventory every external script, stylesheet, and frame to craft a least-privilege CSP tailored to your application.
- Use nonces or SHA-256 hashes for inline scripts instead of broad
unsafe-inlineallowances. - Monitor CSP violation reports to detect both policy gaps and active attack attempts.
- Automate CSP validation as part of deployment pipelines to prevent regressions or overly permissive changes.