[{"data":1,"prerenderedAt":314},["ShallowReactive",2],{"term-c\u002Fcontent-security-policy":3,"related-c\u002Fcontent-security-policy":297},{"id":4,"title":5,"acronym":6,"body":7,"category":277,"description":278,"difficulty":279,"extension":280,"letter":281,"meta":282,"navigation":283,"path":284,"related":285,"seo":290,"sitemap":291,"stem":294,"subcategory":295,"__hash__":296},"terms\u002Fterms\u002Fc\u002Fcontent-security-policy.md","Content Security Policy","CSP",{"type":8,"value":9,"toc":271},"minimark",[10,15,19,23,41,45,260,264,267],[11,12,14],"h2",{"id":13},"eli5-the-vibe-check","ELI5 — The Vibe Check",[16,17,18],"p",{},"Content Security Policy is an HTTP header that tells the browser exactly where it's allowed to load scripts, images, and other resources from. It's like a bouncer who only lets approved guests (trusted domains) provide scripts to the page. Even if an XSS attack injects a script tag, CSP can block it from running.",[11,20,22],{"id":21},"real-talk","Real Talk",[16,24,25,26,30,31,30,34,30,37,40],{},"CSP (Content Security Policy) is an HTTP response header that instructs browsers to restrict resource loading to specified origins. It's a defense-in-depth measure against XSS attacks. Directives include ",[27,28,29],"code",{},"script-src",", ",[27,32,33],{},"style-src",[27,35,36],{},"img-src",[27,38,39],{},"connect-src",", etc. Violations can be reported to a URI for monitoring.",[11,42,44],{"id":43},"show-me-the-code","Show Me The Code",[46,47,52],"pre",{"className":48,"code":49,"language":50,"meta":51,"style":51},"language-javascript shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","\u002F\u002F Setting CSP in Express\napp.use((req, res, next) => {\n  res.setHeader(\n    'Content-Security-Policy',\n    [\n      \"default-src 'self'\",\n      \"script-src 'self' https:\u002F\u002Fcdn.example.com\",\n      \"style-src 'self' 'unsafe-inline'\",\n      \"img-src 'self' data: https:\",\n      \"report-uri \u002Fcsp-violations\",\n    ].join('; ')\n  );\n  next();\n});\n","javascript","",[27,53,54,63,108,123,139,145,159,171,183,195,207,230,239,250],{"__ignoreMap":51},[55,56,59],"span",{"class":57,"line":58},"line",1,[55,60,62],{"class":61},"sHwdD","\u002F\u002F Setting CSP in Express\n",[55,64,66,70,74,78,81,83,87,90,93,95,98,101,105],{"class":57,"line":65},2,[55,67,69],{"class":68},"sTEyZ","app",[55,71,73],{"class":72},"sMK4o",".",[55,75,77],{"class":76},"s2Zo4","use",[55,79,80],{"class":68},"(",[55,82,80],{"class":72},[55,84,86],{"class":85},"sHdIc","req",[55,88,89],{"class":72},",",[55,91,92],{"class":85}," res",[55,94,89],{"class":72},[55,96,97],{"class":85}," next",[55,99,100],{"class":72},")",[55,102,104],{"class":103},"spNyl"," =>",[55,106,107],{"class":72}," {\n",[55,109,111,114,116,119],{"class":57,"line":110},3,[55,112,113],{"class":68},"  res",[55,115,73],{"class":72},[55,117,118],{"class":76},"setHeader",[55,120,122],{"class":121},"swJcz","(\n",[55,124,126,129,133,136],{"class":57,"line":125},4,[55,127,128],{"class":72},"    '",[55,130,132],{"class":131},"sfazB","Content-Security-Policy",[55,134,135],{"class":72},"'",[55,137,138],{"class":72},",\n",[55,140,142],{"class":57,"line":141},5,[55,143,144],{"class":121},"    [\n",[55,146,148,151,154,157],{"class":57,"line":147},6,[55,149,150],{"class":72},"      \"",[55,152,153],{"class":131},"default-src 'self'",[55,155,156],{"class":72},"\"",[55,158,138],{"class":72},[55,160,162,164,167,169],{"class":57,"line":161},7,[55,163,150],{"class":72},[55,165,166],{"class":131},"script-src 'self' https:\u002F\u002Fcdn.example.com",[55,168,156],{"class":72},[55,170,138],{"class":72},[55,172,174,176,179,181],{"class":57,"line":173},8,[55,175,150],{"class":72},[55,177,178],{"class":131},"style-src 'self' 'unsafe-inline'",[55,180,156],{"class":72},[55,182,138],{"class":72},[55,184,186,188,191,193],{"class":57,"line":185},9,[55,187,150],{"class":72},[55,189,190],{"class":131},"img-src 'self' data: https:",[55,192,156],{"class":72},[55,194,138],{"class":72},[55,196,198,200,203,205],{"class":57,"line":197},10,[55,199,150],{"class":72},[55,201,202],{"class":131},"report-uri \u002Fcsp-violations",[55,204,156],{"class":72},[55,206,138],{"class":72},[55,208,210,213,215,218,220,222,225,227],{"class":57,"line":209},11,[55,211,212],{"class":121},"    ]",[55,214,73],{"class":72},[55,216,217],{"class":76},"join",[55,219,80],{"class":121},[55,221,135],{"class":72},[55,223,224],{"class":131},"; ",[55,226,135],{"class":72},[55,228,229],{"class":121},")\n",[55,231,233,236],{"class":57,"line":232},12,[55,234,235],{"class":121},"  )",[55,237,238],{"class":72},";\n",[55,240,242,245,248],{"class":57,"line":241},13,[55,243,244],{"class":76},"  next",[55,246,247],{"class":121},"()",[55,249,238],{"class":72},[55,251,253,256,258],{"class":57,"line":252},14,[55,254,255],{"class":72},"}",[55,257,100],{"class":68},[55,259,238],{"class":72},[11,261,263],{"id":262},"when-youll-hear-this","When You'll Hear This",[16,265,266],{},"\"Add a strict CSP header to reduce XSS risk.\" \u002F \"The CSP report showed a blocked inline script.\"",[268,269,270],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .sHdIc, html code.shiki .sHdIc{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#EEFFFF;--shiki-default-font-style:italic;--shiki-dark:#BABED8;--shiki-dark-font-style:italic}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":51,"searchDepth":65,"depth":65,"links":272},[273,274,275,276],{"id":13,"depth":65,"text":14},{"id":21,"depth":65,"text":22},{"id":43,"depth":65,"text":44},{"id":262,"depth":65,"text":263},"security","Content Security Policy is an HTTP header that tells the browser exactly where it's allowed to load scripts, images, and other resources from.","intermediate","md","c",{},true,"\u002Fterms\u002Fc\u002Fcontent-security-policy",[6,286,287,288,289],"XSS","CORS","HSTS","Escape",{"title":5,"description":278},{"changefreq":292,"priority":293},"weekly",0.7,"terms\u002Fc\u002Fcontent-security-policy",null,"r3WPDk_ngbXtfs3I2_d-MqAH9u-ZX0i-TmhGecAin70",[298,301,304,308,311],{"title":287,"path":299,"acronym":287,"category":277,"difficulty":279,"description":300},"\u002Fterms\u002Fc\u002Fcors","CORS (Cross-Origin Resource Sharing) is the browser's built-in protection that prevents random websites from making API calls to your backend using the vis...",{"title":6,"path":302,"acronym":6,"category":277,"difficulty":279,"description":303},"\u002Fterms\u002Fc\u002Fcsp","CSP stands for Content Security Policy.",{"title":289,"path":305,"acronym":295,"category":277,"difficulty":306,"description":307},"\u002Fterms\u002Fe\u002Fescape","beginner","Escaping means converting special characters into their safe equivalents before putting them in HTML, SQL, or a shell command.",{"title":288,"path":309,"acronym":288,"category":277,"difficulty":279,"description":310},"\u002Fterms\u002Fh\u002Fhsts","HSTS (HTTP Strict Transport Security) tells the browser 'this site is ALWAYS HTTPS, never even try HTTP.",{"title":286,"path":312,"acronym":286,"category":277,"difficulty":279,"description":313},"\u002Fterms\u002Fx\u002Fxss","XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.",1776518269309]