What Is CSP?
Content Security Policy (CSP) is an HTTP header that tells browsers which resources are allowed to load on your page. It's one of the most effective defenses against Cross-Site Scripting (XSS) attacks — by blocking unauthorized scripts, styles, and other resources.
How CSP Works
You send a Content-Security-Policy header with your HTTP response. The browser enforces the rules, blocking anything that violates them. If an attacker injects a <script> tag pointing to their server, the browser refuses to load it.
Key Directives
default-src— fallback for all resource typesscript-src— JavaScript sourcesstyle-src— CSS sourcesimg-src— image sourcesconnect-src— AJAX, WebSocket, fetch targetsfont-src— web font sourcesframe-src— iframe sources
Common Values
'self'— same origin only'none'— block everything'unsafe-inline'— allow inline scripts/styles (weakens CSP significantly)'nonce-abc123'— allow specific inline scripts with a matching nonce- Domain names —
https://cdn.example.com
Generate CSP Headers
Use the CSP Header Generator on CodeKitLab to build your Content Security Policy visually — toggle directives, add sources, and get ready-to-use nginx and Apache configuration snippets. For server configuration, also check the Nginx Config Generator and .htaccess Generator.
Starting Strategy
- Start with
Content-Security-Policy-Report-Onlyto monitor without blocking - Set
default-src 'self'as the baseline - Add specific sources for each directive as needed
- Remove
'unsafe-inline'by using nonces or hashes - Monitor violation reports and tighten the policy over time
CSP is not optional for production sites. It's your frontline defense against the most common web attack vector.
Content Security Policy
CSP ar en HTTP-header som talar om for webblasaren vilka resurser som far laddas. Den skyddar mot XSS-attacker. Generera CSP-headers med CSP Header Generator. For nginx-konfiguration, anvand Nginx Config Generator.
Content Security Policy
CSP ist ein HTTP-Header, der dem Browser mitteilt, welche Ressourcen geladen werden durfen. Er schutzt vor XSS-Angriffen. Generieren Sie CSP-Header mit dem CSP Header Generator. Fur Nginx-Konfiguration nutzen Sie den Nginx Config Generator.
Content Security Policy
CSP est un header HTTP qui indique au navigateur quelles ressources peuvent etre chargees. Il protege contre les attaques XSS. Generez des headers CSP avec le CSP Header Generator. Pour la configuration Nginx, utilisez le Nginx Config Generator.
Content Security Policy
CSP es un header HTTP que indica al navegador que recursos pueden cargarse. Protege contra ataques XSS. Genera headers CSP con el CSP Header Generator. Para configuracion Nginx, usa el Nginx Config Generator.
سياسة أمان المحتوى
CSP هو رأس HTTP يخبر المتصفح بالموارد المسموح بتحميلها. يحمي من هجمات XSS. أنشئ رؤوس CSP باستخدام CSP Header Generator. لتكوين Nginx، استخدم Nginx Config Generator.
Content Security Policy
CSP ایک HTTP ہیڈر ہے جو براؤزر کو بتاتا ہے کہ کون سے وسائل لوڈ ہو سکتے ہیں۔ یہ XSS حملوں سے بچاتا ہے۔ CSP Header Generator سے CSP ہیڈرز بنائیں۔ Nginx کنفیگریشن کے لیے Nginx Config Generator استعمال کریں۔
Keep exploring the strongest CodeKitLab content
If this article helped, these related guides and tool pages are the next best places to continue. This keeps the blog focused on high-value paths instead of thin archive browsing.