CSP (Content Security Policy)
CSP is a security header that prevents XSS and data injection attacks by restricting where scripts can load from.
Security~1 min read
In plain English
A rule that tells the browser “only run code from these trusted places,” so bad scripts injected by attackers can’t run on your site.
CSP (Content Security Policy) is an HTTP response header that tells the browser which sources of content (scripts, styles, images) are trusted. It is a powerful defense against Cross-Site Scripting (XSS) and other code injection attacks.
A well-configured CSP can prevent unauthorized scripts from running, even if an attacker finds a vulnerability in the site. Our HTTP header checker verifies if your site is using a secure Content Security Policy.
Examples & Usage
Basic Strict Policy
Content-Security-Policy: default-src 'self'; script-src 'self' trusted-scripts.com; style-src 'self' 'unsafe-inline';Report-Only Mode
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-violation-report-endpoint/