What is CSP and how does it mitigate attacks?
· Category: Cybersecurity
Short answer
Content Security Policy (CSP) is a browser security standard that prevents a range of attacks by restricting the sources from which content can be loaded and executed.
How it works
CSP is delivered via the Content-Security-Policy HTTP header. Directives like default-src, script-src, and img-src define trusted sources. The browser blocks any resource that violates the policy.
A strict policy might allow scripts only from the same origin and disallow inline JavaScript entirely. This makes XSS significantly harder because injected scripts have no authorized source.
Example
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; object-src 'none'
This allows scripts only from the site's own domain and a specific CDN, while blocking plugins entirely.
Why it matters
CSP provides a powerful defense-in-depth mechanism against XSS, clickjacking, and data exfiltration. It shifts security from blacklisting dangerous inputs to whitelisting safe behavior.