Content Security Policy
A security header that prevents cross-site scripting attacks by controlling which resources browsers can load on a webpage.
Definition
Content Security Policy (CSP) is a security standard that helps prevent code injection attacks by specifying which domains browsers should consider valid sources for executable scripts, stylesheets, images, and other resources.
Implemented through HTTP headers or meta tags, CSP creates a whitelist of trusted sources, blocking unauthorized content and providing detailed violation reports to help identify potential security threats or implementation issues.
Why It Matters
CSP significantly reduces the risk of cross-site scripting (XSS) attacks, which can compromise user data and damage business reputation. By implementing CSP, organizations demonstrate security compliance and protect customer trust.
Beyond security, CSP helps identify and prevent unauthorized third-party scripts that can slow down websites, ensuring better performance and user experience while maintaining control over external dependencies.
Examples in Practice
E-commerce sites use CSP to prevent malicious scripts from capturing payment information, only allowing trusted payment processors and analytics tools to execute code.
News websites implement CSP to control advertising scripts, ensuring ads come from approved networks while blocking potentially harmful or performance-degrading third-party content.
SaaS applications use CSP to protect user dashboards from code injection, while still allowing necessary integrations with trusted services like customer support widgets.