What is CSP (Content Security Policy)?

An HTTP response header that tells the browser which sources are allowed for scripts, styles, images, and other resources, limiting the impact of XSS.

Full explanation

A strict CSP prevents most XSS exploitation by blocking inline scripts and scripts from unexpected origins. Modern CSPs use nonces or hashes to allow specific inline blocks. CSP is defense in depth — it does not replace proper input escaping, but it significantly reduces the blast radius if escaping fails.

Example

`Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-abc123'; object-src 'none'; base-uri 'self'; frame-ancestors 'none';`

Guide

Security headers for Next.js — CSP, HSTS, and the full list

Guide

XSS in React — dangerouslySetInnerHTML and the specific bugs we see

FAQ

Does `unsafe-inline` defeat CSP?

Largely, yes. A CSP with 'unsafe-inline' for scripts allows most XSS. Use nonces or hashes to allow specific inline blocks.

What is CSP (Content Security Policy)?

Full explanation

Example

Related

FAQ