CSP

What is CSP?

Content Security Policy

Content Security Policy (CSP) is a browser security feature delivered as an HTTP response header. It tells the browser which origins can provide scripts, styles, images, and other resources for your page. When an attacker injects a malicious script, CSP blocks it from executing because the script did not come from an allowed origin.

In more detail

CSP is the browser-level backstop against XSS — the single most common web vulnerability. Without CSP, any successful script injection runs with full access to the page. With CSP, scripts only run from origins you explicitly allow, so an injected `<script src="evil.com/steal">` is blocked even if the injection succeeds.

A basic policy looks like `default-src 'self'; script-src 'self' https://cdn.example.com`. You build it up based on which third-party origins your site actually loads from.

Baseline CSP header
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none';

Why this matters

Why builders care

AI-generated apps often paste user input into pages without escaping, which creates XSS vulnerabilities. CSP is the cheapest single header you can ship that stops most of those attacks from succeeding — even if your code has the underlying bug.

FAQ

Frequently asked questions

Can I just use `default-src *`?
That would allow everything, which defeats the point. Start with `default-src 'self'` and add specific origins as you need them.
Does CSP work in all browsers?
Yes, all modern browsers since 2015. CSP 3 features (like nonces and strict-dynamic) are widely supported as of 2023+.

Fix guides

Fix CSP issues

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Read more

Missing X-Frame-Options

Without X-Frame-Options or CSP frame-ancestors, attackers can embed your site in an invisible iframe to trick users into clicking things. Here is the fix.

Read more

Mixed content warnings

Loading HTTP resources from an HTTPS page breaks the security guarantee. Browsers block most of it automatically now — here is how to fix the rest.

Read more

Free tools

Check it yourself

Security headers checker

Check CSP, HSTS, X-Frame-Options, and more in seconds.

Read more

Related terms

Keep learning

Cross-Site Scripting

XSS is an attack where malicious JavaScript gets injected into your site and runs in other users' browsers. CSP and input sanitization are the main defenses.

Read more

Security Headers

A set of HTTP response headers that harden your site against common web attacks. Every site should send all six.

Read more

X-Frame-Options

A response header that stops other sites from embedding your page in an iframe, preventing clickjacking attacks.

Read more

See where your site stands

Paste a URL, get a score in 60 seconds. Free, no signup.