CSP
CSP
ELI5 — The Vibe Check
CSP stands for Content Security Policy. It's a header you add to your web server's responses that tells the browser 'only run scripts from these places, only load images from those places'. It's one of the strongest defenses against XSS because even if an attacker injects a script tag, the browser refuses to run it.
Real Talk
CSP is implemented as the Content-Security-Policy HTTP header. A strict policy like script-src 'self' blocks all inline scripts and external scripts from untrusted origins. CSP Level 3 supports nonces and hashes for inline scripts without allowing all inline code.
When You'll Hear This
"Our CSP blocks all third-party scripts unless explicitly whitelisted." / "Use CSP nonces to allow specific inline scripts without 'unsafe-inline'."
Related Terms
Content Security Policy (CSP)
Content Security Policy is an HTTP header that tells the browser exactly where it's allowed to load scripts, images, and other resources from.
CORS (CORS)
CORS (Cross-Origin Resource Sharing) is the browser's built-in protection that prevents random websites from making API calls to your backend using the vis...
HSTS (HSTS)
HSTS (HTTP Strict Transport Security) tells the browser 'this site is ALWAYS HTTPS, never even try HTTP.
XSS (XSS)
XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.