Skip to main content
devinsta — design and development agency
Free consult
Web Development

CSPContent Security Policy

An HTTP response header that tells the browser which sources of scripts, styles, images and other content are allowed to load on your page.

· Reviewed by senior engineers

A Content Security Policy (CSP) is a header your server returns that tells the browser which sources of content are trusted. script-src restricts JavaScript origins, style-src restricts CSS, img-src restricts images, connect-src restricts fetch and XHR destinations, and so on. Anything not on the list is blocked.

CSP is one of the strongest defences against cross-site scripting (XSS). If an attacker manages to inject <script src="evil.example/x.js">, a strict CSP simply refuses to load it. Nonce- and hash-based policies go further by allowing only specifically-tagged inline scripts.

The pain is third-party sprawl. A typical marketing site loads analytics, tag managers, A/B tools, chat widgets, payment SDKs, ad pixels and embeds, each from its own origin. Writing a CSP that allows them all without allowing anything else is real work. Report-only mode lets you observe before enforcing, which is the right way to roll one out on an existing site.

Devinsta ships CSP on every site we build, starting in report-only mode during launch, then tightening as third parties are audited. It is one of the cheapest, most effective security controls available, and search engines and browsers increasingly reward sites that use it.

Related services

Related terms

← Back to glossary