A Content Security Policy (CSP) is a mechanism for web developers to increase the security of their websites. By setting a Content Security Policy, web developers can instruct web browsers to only load resources from certain trusted domains, enforce secure HTTPS connections, and even report policy violations as they occur. This can prevent many content injection and cross-site scripting (XSS) vulnerabilities, which often lead to data leaks, website vandalism, and malware distribution.
Policies are transmitted to the web browser by either setting the Content-Security-Policy HTTP header, or including a <meta http-equiv="Content-Security-Policy" ... > tag in the HTML source of the site. The actual policy data is a text string, made up of one or more directives that specify the desired restrictions and configurations.
To find out more about Content Security Policies, and their implementation in production applications, please refer to the following resources:
Originally posted on DigitalOcean Community Tutorials
Author: Brian Boucheron