CSP (Content Security Policy)

Content Security Policy is a browser-enforced response header that restricts which scripts, styles, images, and frames a page may load — the principal defence-in-depth against XSS.

Definition

Content Security Policy (CSP) is the HTTP response header (`Content-Security-Policy`) that tells the browser which sources of script, style, image, frame, font, connection, and other resources the page is allowed to use. A correctly-configured CSP turns successful XSS injection into "nothing happens": the injected script tag has no permitted source, so the browser refuses to execute it.

CSP is defence-in-depth, not a primary defence — primary defence is correct output encoding — but for an application of any complexity it is the most effective single mitigation. Strict CSPs (script-src 'nonce-…' 'strict-dynamic') are the recommended profile.

Mitigation

Not applicable — CSP is itself a mitigation surface.

See also

References