Skip to content

Content Security Policy Headers

Medium — good to knowSecurity

ELI5 — The Vibe Check

CSP tells the browser exactly where scripts, styles, images, and other resources are allowed to load from. If a hacker injects a script pointing to evil.com, CSP blocks it because evil.com isn't on the approved list. It's a whitelist for everything your page is allowed to load.

Real Talk

Content Security Policy is an HTTP header that prevents XSS, clickjacking, and code injection by declaring approved content sources per resource type. Directives include default-src, script-src, style-src, img-src, connect-src, and frame-ancestors. Report-only mode enables testing without enforcement.

When You'll Hear This

"CSP blocked an XSS payload because we don't allow 'unsafe-inline' scripts." / "Start with CSP in report-only mode to find violations before enforcing."

Related Terms

OWASP (OWASP)

OWASP (Open Web Application Security Project) is the internet's biggest security club.

beginnerSecurity

Security Headers

Security Headers are HTTP response headers that tell browsers 'here's how to protect my users.

intermediateSecurity

Subresource Integrity

Subresource Integrity (SRI) adds a hash to your script and link tags. The browser downloads the file, checks the hash, and only executes it if it matches.

intermediateSecurity

XSS (XSS)

XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.

intermediateSecurity
Back to Browse Random Term

Made with passive-aggressive love by manoga.digital. Powered by Claude.