{
    "slug": "content_security_policy",
    "term": "Content Security Policy (CSP)",
    "category": "security",
    "difficulty": "intermediate",
    "short": "An HTTP response header that restricts which scripts, styles, and resources the browser is allowed to load.",
    "long": "CSP is a defence-in-depth measure against XSS. By declaring a policy via the Content-Security-Policy header, you tell the browser to refuse executing inline scripts, loading scripts from untrusted domains, or evaluating eval(). Even if an attacker injects a script tag, CSP prevents it from running. A strict CSP (script-src 'nonce-{random}') is the most effective configuration. CSP does not replace output encoding — it is an additional layer.",
    "aliases": [
        "CSP",
        "Content-Security-Policy header"
    ],
    "tags": [
        "xss",
        "headers",
        "browser",
        "defence-in-depth"
    ],
    "misconception": "A CSP with unsafe-inline still meaningfully prevents XSS. unsafe-inline defeats the primary purpose of CSP by allowing all inline scripts — a meaningful CSP requires nonces or hashes instead.",
    "why_it_matters": "CSP is the primary browser-enforced defence against XSS — it restricts which scripts can execute, where resources load from, and prevents inline script injection even if an XSS vulnerability exists.",
    "common_mistakes": [
        "Using unsafe-inline in the script-src directive — negates XSS protection entirely.",
        "Using unsafe-eval — allows string-to-code execution which attackers can exploit.",
        "An overly permissive default-src: * that effectively disables source restrictions.",
        "Not deploying CSP at all, relying solely on output encoding which may have gaps."
    ],
    "when_to_use": [
        "Any web application that renders user-supplied content — CSP is the last line of defence against XSS.",
        "Applications with a well-defined set of trusted script, style, and media sources.",
        "After completing XSS remediation — CSP reduces the blast radius of any XSS that slips through.",
        "Report-only mode first, to identify violations before enforcing."
    ],
    "avoid_when": [
        "Setting unsafe-inline or unsafe-eval — these negate the XSS protection that CSP exists to provide.",
        "Deploying CSP in enforce mode before testing in report-only mode — you will break legitimate functionality.",
        "Using wildcard (*) sources for script-src — a wildcard allows loading scripts from any origin.",
        "Setting CSP only on the HTML page but not on API responses that return HTML fragments."
    ],
    "related": [
        "xss"
    ],
    "prerequisites": [
        "xss",
        "clickjacking_csp",
        "security_headers"
    ],
    "refs": [
        "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP",
        "https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html"
    ],
    "bad_code": "// Overly permissive CSP that provides no XSS protection:\nheader(\"Content-Security-Policy: default-src *; script-src * 'unsafe-inline' 'unsafe-eval'\");",
    "good_code": "// Tight CSP — no inline scripts, only own domain + CDN\nheader(\"Content-Security-Policy: \" .\n    \"default-src 'self'; \" .\n    \"script-src 'self' https://cdn.jsdelivr.net; \" .\n    \"style-src  'self' 'unsafe-inline'; \" .\n    \"img-src    'self' data: https:; \" .\n    \"font-src   'self'; \" .\n    \"connect-src 'self' https://api.yourapp.com; \" .\n    \"frame-ancestors 'none'; \" .\n    \"base-uri 'self'; \" .\n    \"form-action 'self';\"\n);\n\n// Start in report-only mode to detect breakage before enforcing:\nheader('Content-Security-Policy-Report-Only: ...; report-uri /csp-report');",
    "quick_fix": "Start with Content-Security-Policy: default-src 'self'; then add specific allowances per resource type — use nonces for inline scripts rather than 'unsafe-inline'",
    "severity": "high",
    "effort": "high",
    "created": "2026-03-15",
    "updated": "2026-03-25",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/content_security_policy",
        "html_url": "https://codeclaritylab.com/glossary/content_security_policy",
        "json_url": "https://codeclaritylab.com/glossary/content_security_policy.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Content Security Policy (CSP)](https://codeclaritylab.com/glossary/content_security_policy) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/content_security_policy"
            }
        }
    }
}