What Is Content Security Policy?

Content Security Policy is a browser security control that limits which sources can load scripts, styles, images, frames, and other resources. It is most useful when treated as a carefully maintained policy, not a one-time header.

• CSP can reduce the impact of some content injection and cross-site scripting paths.
• A policy can also restrict framing, plugin usage, upgrade behavior, and reporting depending on directives used.
• Overly broad directives can create a false sense of coverage, while overly strict directives can break real application behavior.

• Checks whether Content-Security-Policy or Content-Security-Policy-Report-Only is present on scanned HTML responses.
• Flags policies that are missing or contain obviously weak patterns such as broad wildcards in sensitive directives.
• Shows the observed policy so developers can compare it with intended sources.
• Automated CSP checks cannot prove that every XSS path is blocked; manual testing is still needed for injection risk.

• No CSP header on pages that render user-controlled or third-party content.
• script-src allows unsafe-inline without a nonce, hash, or a clear migration plan.
• default-src is broad and sensitive directives are not defined separately.
• Policy exists on the home page but not application routes.
• Report-only policy is never promoted or reviewed.

• Inventory required first-party and third-party sources before enforcing a policy.
• Start with Content-Security-Policy-Report-Only when breakage risk is high.
• Use nonce or hash based script controls where the framework supports them.
• Define frame-ancestors for embedding control instead of relying only on legacy frame headers.
• Review violation reports before tightening directives.