What is Content Security Policy?

Content Security Policy (CSP) is a security feature that helps prevent a range of attacks on your website, including Cross-Site Scripting (XSS) and data injection attacks. It works by specifying which content sources are trusted, limiting what your site is allowed to load.

CSP acts like a set of rules that your browser follows when loading a website. These rules define which scripts, styles, images, and other resources are allowed to load—and from where. If content is requested from an unauthorized source, the browser blocks it.

For example, if your policy only allows scripts from your own domain, any malicious script trying to load from a third-party source will be blocked.

• Blocks unauthorized scripts from running on your site

• Reduces the risk of XSS attacks

• Limits exposure to data leaks or injected code

• Improves overall site security posture

CSP is typically set via HTTP response headers or within meta tags. The most common method is using the Content-Security-Policy header. You define rules like:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trustedscript.com; 

This tells the browser to:

• Load everything by default from your own domain

• Only allow scripts from your domain and trustedscript.com

When first enabling CSP, use “report-only” mode to test your policy without breaking your site. Once everything works as expected, enforce it by removing “report-only.”

Let us know if you’d like help creating or testing a CSP for your site!