Read Case Study > Jesse Tutt
Founder & CEO
Struggling to tell your APIs from your CDNs? Read our comprehensive cloud computing glossary covering the most common terms.
< Back to glossary
A Content Security Policy (CSP) is a security standard designed to prevent malicious attacks such as cross-site scripting (XSS), clickjacking, and data injection by controlling which resources (e.g., scripts, stylesheets, images) can be loaded on a web page. It is implemented through HTTP headers or meta tags in HTML.
Policy Definition: Website administrators define a CSP in the HTTP response header or HTML tag. This policy specifies which sources are trusted for loading resources like scripts (script-src), stylesheets (style-src), images (img-src), etc.
Browser Enforcement: When a browser loads the web page, it checks all resource requests against the CSP directives.
If a resource originates from an untrusted source, the browser blocks it from loading.
Violation Reporting: CSP can be configured to report violations to a specified URL for monitoring potential attacks.
Script Control (script-src): Restricts JavaScript execution to trusted sources only.
Style Protection (style-src): Ensures that only approved stylesheets are applied to the page.
Frame Restrictions (frame-ancestors): Prevents unauthorized embedding of web pages in iframes.
Reporting (report-uri): Sends violation reports to help identify security threats.
Protection Against XSS Attacks: Blocks malicious scripts injected into web pages by attackers.
Improved Website Security: Reduces risks associated with third-party resources like ads or analytics scripts.
Compliance with Security Standards: Helps organizations meet regulatory requirements for secure web applications.
Implementation Complexity: Requires careful planning to avoid blocking legitimate resources while enforcing security policies.
Maintenance Overhead: Policies must be updated frequently as websites evolve or integrate new third-party services.
Limited Adoption by Developers: Despite its benefits, many websites fail to implement CSP due to lack of awareness or technical expertise.
Real-World Example: An e-commerce site implements CSP to prevent attackers from injecting malicious scripts into its payment page. By restricting JavaScript execution to trusted domains only, it ensures customer payment data remains secure during transactions.
