What is CSP?

Content-Security-Policy (CSP) is an HTTP response header that tells browsers which sources of content - scripts, styles, images, fonts, frames - are permitted on a page. By restricting sources to an explicit allowlist, CSP prevents cross-site scripting (XSS) attacks from executing injected scripts, even when an XSS vulnerability exists in the application code.

Key directives

  • default-src - fallback policy for all resource types
  • script-src - controls which scripts can execute (the most security-critical directive)
  • style-src - controls stylesheet sources
  • img-src - controls image sources
  • frame-ancestors - controls which sites can embed this page in frames (replaces X-Frame-Options)

Deployment approach

Start with Content-Security-Policy-Report-Only to collect violation reports without blocking content. Once all legitimate sources are identified and allowed, switch to enforcement mode. SurfaceLoop detects missing CSP headers and weak configurations like unsafe-inline across all your domains.

Map your attack surface - first scan free