What is Content Security Policy (CSP)?
An HTTP header that controls which resources (scripts, styles, images, etc.) a browser is allowed to load on your page. It's one of the strongest defenses against cross-site scripting (XSS) attacks.
In plain English
CSP is like a guest list for a private event. Only the people (resources) on the list get in. If an attacker tries to sneak in a malicious script, the bouncer (browser) checks the list and blocks it because it wasn't invited.
How it works
CSP is delivered as an HTTP header that specifies approved sources for each type of resource. For example, 'script-src self cdn.example.com' tells the browser to only execute scripts from your own domain and cdn.example.com. Any inline scripts or scripts from other domains are blocked. You can set policies for scripts, styles, images, fonts, connections, and more.
Why it matters for AI-built apps
XSS attacks are among the most common web vulnerabilities, and CSP is the most effective browser-side defense. AI-generated code often includes inline scripts and event handlers that make CSP harder to implement, but the protection it provides against script injection is invaluable — especially for apps handling user data or payments.
Common issues
Overly permissive policies (using 'unsafe-inline' or 'unsafe-eval' defeats the purpose), not covering all resource types, breaking third-party widgets by being too restrictive, not testing in report-only mode first, and using CSP meta tags instead of headers (which have limitations).
Best practices
Start with Content-Security-Policy-Report-Only to monitor without breaking things. Avoid 'unsafe-inline' — use nonces or hashes for necessary inline scripts. Be specific about allowed domains. Use 'report-uri' or 'report-to' to collect violation reports. Tighten the policy incrementally. Move inline styles to external stylesheets. Test thoroughly with third-party services (analytics, chat widgets, payment forms).
Frequently asked questions
Why does my CSP keep blocking things on my site?
CSP blocks anything not explicitly allowed in your policy. Check the browser console for CSP violation messages — they'll tell you exactly what was blocked and why. Common culprits: inline scripts/styles, third-party analytics, embedded widgets, and Google Fonts. Add legitimate sources to your policy and eliminate inline code where possible.
Can CSP completely prevent XSS attacks?
A strict CSP dramatically reduces XSS risk but isn't a silver bullet. It should be part of a defense-in-depth strategy that includes input validation, output encoding, and regular security reviews. CSP can't protect against server-side vulnerabilities or attacks that don't involve script injection.
Check your app
Get a professional review of your app at a fixed price.
Security Scan
Black-box review of your public-facing app. No code access needed.
- OWASP Top 10 checks
- SSL/TLS analysis
- Security headers
- Expert review within 24h
Code Audit
In-depth review of your source code for security, quality, and best practices.
- Security vulnerabilities
- Code quality review
- Dependency audit
- AI pattern analysis
Complete Bundle
Both scans in one package with cross-referenced findings.
- Everything in both products
- Cross-referenced findings
- Unified action plan
100% credited toward any paid service. Start with an audit, then let us fix what we find.
Worried about content security policy (csp) in your app?
Get a professional code audit ($19) or book a free call to discuss your concerns.