How Content Security Policy (CSP) Secures Web Clients?

How Content Security Policy (CSP) Secures Web Clients

What is Content Security Policy (CSP)?

What is Content Security Policy (CSP)

Content Security Policy (CSP) is an additional layer of security on the HTTP browser traffic to mitigate Cross-Site-Scripting (XSS), data injection attacks.

CSP is designed to be backwards compatible, i.e. when browsers do not support CSP, it defaults to the same-origin policy for web content.


CSP configuration requires the web server to return the Content-Security-Policy HTTP header.

					Content-Security-Policy: policy-directive; policy-directive

The primary objective of CSP is to prevent XSS. XSS exploits the browser’s trust in all the content being loaded by the document to inject malicious executable scripts. A CSP compatible browser only executes scripts and resource files specified by the policy directives in the CSP HTTP header.

					Content-Security-Policy: default-src 'self'; img-src *; media-src *; script-src

In this instance the web admin wants the default content to load from the website’s own origin (note ‘self’), images from anywhere on the internet (note wildcard ‘*’), media from and all its subdomains, and javascript from

The web admin can also specify resources to specifically load over https.

					Content-Security-Policy: default-src 'self'

For deployment purposes, CSP can be deployed in a report-only mode where by policy, any CSP violation is reported to the value specified in the header through a POST request.

					Content-Security-Policy-Report-Only: to-test-policy
Content-Security-Policy: default-src 'self'; report-uri /dev/report-csp

In the above example, all violations will be reported to /dev/report-csp on origin.


Recent Posts

Follow Us

Web Application Firewall Solution

When To Use Multicloud

When To Use Multicloud?

Multicloud involves utilizing two or more cloud service providers, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud

Read More »