Skip to content
Skip to content
API Pricing RU Sign In
← All HTTP Headers
Security

Content-Security-Policy

Controls which resources the browser is allowed to load for a page, helping prevent XSS and data injection attacks.

Syntax

Content-Security-Policy: <directive> <source>; <directive> <source>

Example

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com

Description

The Content-Security-Policy (CSP) header is one of the most powerful security mechanisms available to web developers. It defines an allowlist of content sources that the browser should trust, effectively mitigating cross-site scripting (XSS) and other code injection attacks.

CSP works by specifying directives that control resource loading: default-src sets the fallback policy, script-src controls JavaScript sources, style-src manages CSS, and img-src handles images. Each directive can specify origins, keywords like \'self\' or \'unsafe-inline\', and nonce/hash-based whitelisting.

Implementing CSP correctly requires careful planning. Start with Content-Security-Policy-Report-Only to monitor violations without blocking, then gradually tighten the policy.

Check if your website sends this header correctly

Check your headers →

Related Articles

Web Server Security Hardening Checklist: Nginx and Apache
Complete web server hardening checklist for nginx and Apache. File permissions, security headers, TLS configuration, access control, and monitoring.
Security Headers: The Complete Guide
Complete guide to HTTP security headers: CSP, HSTS, X-Frame-Options, Permissions-Policy, CORP, COEP. Configuration and examples.
Content Security Policy (CSP) — A Complete Configuration Guide
What is Content Security Policy, how to configure the CSP header, which directives to use. Configuration examples and common mistakes.

Related Headers

Cross-Origin-Opener-Policy
Isolates the browsing context to prevent cross-origin attacks like Spectre from accessing sensitive data.
Cross-Origin-Resource-Policy
Restricts which origins can load a resource, preventing unauthorized cross-origin reads.
Permissions-Policy
Controls which browser features and APIs can be used on the page, such as camera, microphone, and geolocation.
Referrer-Policy
Controls how much referrer information is included with requests, balancing privacy with analytics needs.
Strict-Transport-Security
Instructs browsers to only access the site via HTTPS, protecting against protocol downgrade attacks and cookie hijacking.
X-Content-Type-Options
Prevents browsers from MIME-sniffing the content type, reducing the risk of drive-by downloads and XSS attacks.

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation