Build Content Security Policy headers to protect against XSS, clickjacking, data injection, and other web attacks.
Content Security Policy (CSP) is an HTTP security header that helps prevent XSS, clickjacking, and other code injection attacks. It tells the browser which sources of content (scripts, styles, images, etc.) are trusted, blocking everything else.
| Directive | Controls |
|---|---|
| default-src | Fallback for all resource types |
| script-src | JavaScript sources |
| style-src | CSS stylesheet sources |
| img-src | Image sources |
| font-src | Web font sources |
| connect-src | XMLHttpRequest, WebSocket, fetch |
| frame-src | Sources for iframes |
| media-src | Audio and video sources |
It can if configured incorrectly. Start with Content-Security-Policy-Report-Only header to detect violations without blocking content. Once you've identified all legitimate sources, switch to enforcement mode.