When should you NOT use Content Security Policy (CSP)?

Setting unsafe-inline or unsafe-eval — these negate the XSS protection that CSP exists to provide. Deploying CSP in enforce mode before testing in report-only mode — you will break legitimate functionality. Using wildcard (*) sources for script-src — a wildcard allows loading scripts from any origin. Setting CSP only on the HTML page but not on API responses that return HTML fragments.

When is Content Security Policy (CSP) the right choice?

Any web application that renders user-supplied content — CSP is the last line of defence against XSS. Applications with a well-defined set of trusted script, style, and media sources. After completing XSS remediation — CSP reduces the blast radius of any XSS that slips through. Report-only mode first, to identify violations before enforcing.

← Back to glossary

Content Security Policy (CSP)

security PHP 5.0+ Intermediate

Also Known As

CSP Content-Security-Policy header

TL;DR

An HTTP response header that restricts which scripts, styles, and resources the browser is allowed to load.

Explanation

CSP is a defence-in-depth measure against XSS. By declaring a policy via the Content-Security-Policy header, you tell the browser to refuse executing inline scripts, loading scripts from untrusted domains, or evaluating eval(). Even if an attacker injects a script tag, CSP prevents it from running. A strict CSP (script-src 'nonce-{random}') is the most effective configuration. CSP does not replace output encoding — it is an additional layer.

Diagram

flowchart TD
    PAGE[Page served with CSP header] --> BROWSER3[Browser enforces policy]
    BROWSER3 --> SCRIPTS{Script source allowed?}
    SCRIPTS -->|from own domain| ALLOW3[Execute]
    SCRIPTS -->|inline script tag| BLOCK3[Block - no unsafe-inline]
    SCRIPTS -->|from cdn example.com| CHECK3{In script-src?}
    CHECK3 -->|yes| ALLOW3
    CHECK3 -->|no| BLOCK3
    subgraph Directives
        DEFAULT[default-src self]
        SCRIPT[script-src self nonce-xyz]
        STYLE[style-src self unsafe-inline]
        IMG[img-src self data blob]
    end
style ALLOW3 fill:#238636,color:#fff
style BLOCK3 fill:#f85149,color:#fff

Common Misconception

✗ A CSP with unsafe-inline still meaningfully prevents XSS. unsafe-inline defeats the primary purpose of CSP by allowing all inline scripts — a meaningful CSP requires nonces or hashes instead.

Why It Matters

CSP is the primary browser-enforced defence against XSS — it restricts which scripts can execute, where resources load from, and prevents inline script injection even if an XSS vulnerability exists.

Common Mistakes

Using unsafe-inline in the script-src directive — negates XSS protection entirely.
Using unsafe-eval — allows string-to-code execution which attackers can exploit.
An overly permissive default-src: * that effectively disables source restrictions.
Not deploying CSP at all, relying solely on output encoding which may have gaps.

Avoid When

Setting unsafe-inline or unsafe-eval — these negate the XSS protection that CSP exists to provide.
Deploying CSP in enforce mode before testing in report-only mode — you will break legitimate functionality.
Using wildcard (*) sources for script-src — a wildcard allows loading scripts from any origin.
Setting CSP only on the HTML page but not on API responses that return HTML fragments.

When To Use

Any web application that renders user-supplied content — CSP is the last line of defence against XSS.
Applications with a well-defined set of trusted script, style, and media sources.
After completing XSS remediation — CSP reduces the blast radius of any XSS that slips through.
Report-only mode first, to identify violations before enforcing.

Code Examples

✗ Vulnerable

// Overly permissive CSP that provides no XSS protection:
header("Content-Security-Policy: default-src *; script-src * 'unsafe-inline' 'unsafe-eval'");

✓ Fixed

// Tight CSP — no inline scripts, only own domain + CDN
header("Content-Security-Policy: " .
    "default-src 'self'; " .
    "script-src 'self' https://cdn.jsdelivr.net; " .
    "style-src  'self' 'unsafe-inline'; " .
    "img-src    'self' data: https:; " .
    "font-src   'self'; " .
    "connect-src 'self' https://api.yourapp.com; " .
    "frame-ancestors 'none'; " .
    "base-uri 'self'; " .
    "form-action 'self';"
);

// Start in report-only mode to detect breakage before enforcing:
header('Content-Security-Policy-Report-Only: ...; report-uri /csp-report');

References

Tags

Added 15 Mar 2026

Edited 25 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Amazonbot 8 Perplexity 7 Ahrefs 4 Unknown AI 3 Google 2 ChatGPT 1 SEMrush 1

Also referenced

Cross-Site Scripting (XSS) 29

How they use it

crawler 24 crawler_json 1 pre-tracking 1

Related categories

security 4k

⚡ DEV INTEL Tools & Severity

🟠 High ⚙ Fix effort: High

⚡ Quick Fix

Start with Content-Security-Policy: default-src 'self'; then add specific allowances per resource type — use nonces for inline scripts rather than 'unsafe-inline'

📦 Applies To

PHP 5.0+ web

🔗 Prerequisites

Cross-Site Scripting (XSS) Clickjacking & CSP frame-ancestors HTTP Security Headers

🔍 Detection Hints

Missing CSP header; CSP with unsafe-inline unsafe-eval wildcard * sources; no nonce on inline scripts

Auto-detectable: ✓ Yes lighthouse owasp-zap csp-evaluator

⚠ Related Problems

Cross-Site Scripting (XSS) Clickjacking data exfiltration

🤖 AI Agent

Confidence: High False Positives: Low ✗ Manual fix Fix: Medium Context: File

CWE-79 CWE-693