CSP

CSP (Content Security Policy) is an HTTP response header that tells browsers which sources of content the page trusts. Defines whitelists per content type: script-src for JavaScript, style-src for CSS, img-src for images, connect-src for fetch/XHR/WebSocket, frame-src for iframes, etc.

Example header: Content-Security-Policy: default-src 'self'; script-src 'self' https://www.googletagmanager.com; img-src 'self' data: https:.

CSP’s primary value: defence-in-depth against XSS. Even if an attacker injects JavaScript into your page, a strict CSP prevents the browser from executing it (because it’s loaded from an origin not on the whitelist) or sending data anywhere (because connect-src blocks exfiltration to attacker domains).

Modern best practice: use a nonce-based CSP — each page response includes a random nonce in its CSP header (e.g., script-src 'nonce-AbC123') and inline script tags that match that nonce can run. This is strict but lets you ship dynamic content securely. Static analyzers like Google’s CSP Evaluator score your policy and flag weaknesses.