What is Content Security Policy (CSP)?
Content Security Policy is a browser security layer, set via an HTTP header, that controls which sources of content (scripts, styles, images) are allowed to load.
Whitelist sources — only approved origins can run scripts or load resources.
Blocks inline scripts — a major defence against XSS.
Think of it as a strong backstop: even if an attacker injects a script, the browser refuses to run it.
CSP prevents XSS by controlling script sources. Know key directives: script-src, default-src, 'self'.
A strict CSP blocks inline scripts (no onclick handlers, no eval). Report-only mode (Content-Security-Policy-Report-Only) helps testing without breaking the site.