Content Security Policy

Prevent XSS and injection with a strict CSP. Web apps only.

  • Start strict: default-src 'none' then add only what is needed
  • Nonce-based scripts: script-src 'nonce-{random}' 'strict-dynamic' SHOULD be used — more secure than domain allowlisting (bypassable via JSONP/CDN scripts)
  • Policies MUST NOT include 'unsafe-inline' or 'unsafe-eval' for script-src
  • frame-ancestors 'self' to prevent clickjacking (replaces X-Frame-Options)
  • New policies SHOULD be deployed in report-only mode first (Content-Security-Policy-Report-Only) to find violations before enforcing

References:

version
1.0.0
platforms
typescript, web
tags
content-security-policy, security
author
Mike Fullerton
modified
2026-03-27
references
cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.htmlcsp-evaluator.withgoogle.comdeveloper.mozilla.org/en-US/docs/Web/HTTP/CSP

Change History

Version Date Author Summary
1.0.0 2026-03-27 Mike Fullerton Initial creation