Content Security Policy is a new addition to the web platform that promises to mitigate the risk of XSS attacks by giving admins control over the data and code to be allowed to run on their site.
- Another layer to a websites defenses: browser-enforced restrictions against external resources or unauthorized scripting.
- Extra response header instructs browsers to enforce a policy.
- Involves deciding what policies you want to enforce, and then configuring them and using X-Content-Security-Policy to establish your policy.
- Best used as defense-in-depth. : declarative policy that lets admins inform the client about the sources from which the application expects to load resources.
- Mitigate XSS: Applications can declare that it only expects scripts from trusted sources.
- Allows the client to detect and block malicious scripts injected into the application by an attacker.