Devii · Frontend · 2026-03-21 · 7 min read

Share

Content Security Policy: Shrink The XSS Blast Radius In Browsers

CSP directives from W3C: default-src, script-src, nonces, and why inline script bans help.

**Content Security Policy (CSP)** is a W3C mechanism delivered via HTTP headers (or meta tags with limits) that whitelists content sources. It mitigates **cross-site scripting** by blocking unexpected script execution.

Start with `Content-Security-Policy-Report-Only` to collect violations without breaking users. Tighten `script-src` with nonces or hashes for allowed inline scripts; avoid `unsafe-inline` in final policies.

Browser developer tools inspection
Browser developer tools inspection

`default-src 'self'` is a baseline; add `img-src`, `connect-src`, and `frame-ancestors` for APIs and clickjacking protection. Third-party widgets often force exceptions: document them.

CSP complements escaping and sanitization; it does not replace server-side output encoding for HTML contexts.