Content Security Policy (CSP)
What is Content Security Policy (CSP)?
Content Security Policy (CSP)An HTTP response header that tells the browser which sources of scripts, styles, frames and other content are allowed, limiting the impact of XSS and data-injection attacks.
Content Security Policy is delivered via the 'Content-Security-Policy' response header (or a 'meta' element) and enforces a fine-grained allow-list per resource type: 'script-src', 'style-src', 'img-src', 'connect-src', 'frame-ancestors' and more. Modern strict CSPs are built around nonces or hashes rather than host allow-lists, so injected scripts without the correct nonce simply do not execute. CSP also blocks inline event handlers, disables 'eval' by default and can report violations through 'report-to'. It is a defence-in-depth control that significantly reduces the impact of XSS, clickjacking (via 'frame-ancestors') and mixed content, but does not replace input validation and output encoding.
● Examples
- 01
Header: 'Content-Security-Policy: script-src 'self' 'nonce-r4nd0m'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'.
- 02
Reporting policy: 'Content-Security-Policy-Report-Only' used to test a stricter CSP before enforcing it.
● Frequently asked questions
What is Content Security Policy (CSP)?
An HTTP response header that tells the browser which sources of scripts, styles, frames and other content are allowed, limiting the impact of XSS and data-injection attacks. It belongs to the Application Security category of cybersecurity.
What does Content Security Policy (CSP) mean?
An HTTP response header that tells the browser which sources of scripts, styles, frames and other content are allowed, limiting the impact of XSS and data-injection attacks.
How do you defend against Content Security Policy (CSP)?
Defences for Content Security Policy (CSP) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Content Security Policy (CSP)?
Common alternative names include: CSP.