CSP (Content Security Policy)
Content Security Policy is a browser-enforced response header that restricts which scripts, styles, images, and frames a page may load — the principal defence-in-depth against XSS.
Definition
Content Security Policy (CSP) is the HTTP response header (`Content-Security-Policy`) that tells the browser which sources of script, style, image, frame, font, connection, and other resources the page is allowed to use. A correctly-configured CSP turns successful XSS injection into "nothing happens": the injected script tag has no permitted source, so the browser refuses to execute it.
CSP is defence-in-depth, not a primary defence — primary defence is correct output encoding — but for an application of any complexity it is the most effective single mitigation. Strict CSPs (script-src 'nonce-…' 'strict-dynamic') are the recommended profile.
Mitigation
Not applicable — CSP is itself a mitigation surface.