Content Security Policy
CSP
ELI5 — The Vibe Check
Content Security Policy is an HTTP header that tells the browser exactly where it's allowed to load scripts, images, and other resources from. It's like a bouncer who only lets approved guests (trusted domains) provide scripts to the page. Even if an XSS attack injects a script tag, CSP can block it from running.
Real Talk
CSP (Content Security Policy) is an HTTP response header that instructs browsers to restrict resource loading to specified origins. It's a defense-in-depth measure against XSS attacks. Directives include script-src, style-src, img-src, connect-src, etc. Violations can be reported to a URI for monitoring.
Show Me The Code
// Setting CSP in Express
app.use((req, res, next) => {
res.setHeader(
'Content-Security-Policy',
[
"default-src 'self'",
"script-src 'self' https://cdn.example.com",
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: https:",
"report-uri /csp-violations",
].join('; ')
);
next();
});
When You'll Hear This
"Add a strict CSP header to reduce XSS risk." / "The CSP report showed a blocked inline script."
Related Terms
CORS (CORS)
CORS (Cross-Origin Resource Sharing) is the browser's built-in protection that prevents random websites from making API calls to your backend using the vis...
CSP (CSP)
CSP stands for Content Security Policy.
Escape
Escaping means converting special characters into their safe equivalents before putting them in HTML, SQL, or a shell command.
HSTS (HSTS)
HSTS (HTTP Strict Transport Security) tells the browser 'this site is ALWAYS HTTPS, never even try HTTP.
XSS (XSS)
XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.