Content-Security-Policy
CSP is an allowlist for the resources a page may load and execute (scripts, styles, images, frames, connections…). A tight policy is the most effective defense against cross-site scripting and injection: even if an attacker injects markup, the browser refuses to run scripts that aren't allowed. The strong baseline is default-src 'self' plus object-src 'none', base-uri 'self', and frame-ancestors 'none'. Avoid 'unsafe-inline'/'unsafe-eval' in script-src — prefer nonces or hashes. Test first with Report-Only mode, which reports violations without blocking. MDN
Example
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'Options
| Option | Type | Default | Notes |
|---|---|---|---|
mode | select (enforce / report) | enforce | Report-Only emits Content-Security-Policy-Report-Only — good for testing a new policy. |
preset | select (strict / basic / custom) | strict | |
upgradeInsecure | toggle | false | Rewrite http:// subresource requests to https://. |
default-src | text | 'self' | |
script-src | text | 'self' | |
style-src | text | 'self' | |
img-src | text | 'self' | |
font-src | text | 'self' | |
connect-src | text | 'self' | |
object-src | text | 'none' | 'none' blocks <object>/<embed> plugins. |
frame-ancestors | text | 'none' | 'none' is anti-clickjacking; supersedes X-Frame-Options. |
base-uri | text | 'self' | |
form-action | text | 'self' | |
raw | textarea | (empty) |
Scoring
Contributes up to 40 points to your grade .