CSP

Content Security Policy (CSP) is an HTTP response header that tells browsers which sources of content (scripts, styles, images, etc.) are trusted and should be allowed to load. A well-configured CSP significantly reduces the risk of XSS attacks by blocking inline scripts and restricting external script sources. CSP can be deployed in report-only mode first to catch violations before enforcing. Overly permissive CSPs (e.g., unsafe-inline or wildcard sources) provide little protection.

Why it matters for your website

• 1Simple HTTP header with immediate security improvement at no performance cost
• 2Checked by automated security scanners and compliance tools
• 3Missing headers are flagged as medium-to-high severity findings