Content Security Policy (CSP)

HTTP Security Headers

A security HTTP header that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by controlling which resources can be loaded.

What is Content Security Policy?

Content Security Policy (CSP) is a security standard implemented as an HTTP response header that allows web application developers to control what resources (scripts, styles, images, etc.) the browser is allowed to load for a given page. It provides a powerful defense against XSS and other injection attacks.

CSP directives include:

default-src: Fallback for other resource types
script-src: Valid sources for JavaScript
style-src: Valid sources for stylesheets
img-src: Valid sources for images
connect-src: Valid sources for AJAX, WebSocket, etc.
frame-src: Valid sources for frames and iframes
report-uri: Where to send violation reports

CSP can operate in enforcement mode (blocking violations) or report-only mode (logging violations without blocking), making it easier to deploy gradually.

Examples

A strict CSP header:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;

This policy only allows scripts from the same origin and a trusted CDN, while blocking inline scripts that attackers might inject.

WAF Providers with Content Security Policy

These WAF providers offer protection related to this concept:

Cloudflare Web Application Firewall 4.5

Quick Info

Acronym: CSP
Category: HTTP Security Headers
Last Updated: December 14, 2025

Browse All Terms

Explore our complete glossary of WAF and security terminology.

View Full Glossary

Quick Definition

What is Content Security Policy?

Examples