Content Security Policy, or CSP, is a browser security rule that limits which sources of scripts, images, and other resources a webpage can load. It helps block malicious code from running on a site even if an attacker manages to inject it.
A website sends a CSP header listing approved sources for scripts, styles, images, and other content types. The browser checks every resource request against this list and blocks anything from an unapproved source. This stops many cross-site scripting attacks, since injected scripts from unauthorized domains simply will not run. Developers can also use CSP to send violation reports back to the server, which helps them spot attack attempts.
Match the strength of this control to what is actually at risk in the workflow.
USER-country-de-session-task01The credential string is the only configuration needed -- "country-de" sets the exit, "session-task01" keeps it consistent, and content security policy is handled by the gateway rather than your application code.
Test the setup with a leak-test tool or packet capture to confirm this protection is actually working, not just configured.
Pair this with sane session handling and header hygiene -- no single control covers a full workflow on its own.
Apply the strongest version of this control to logins, payments, and personal data -- it is overkill for public information.
Do not let two workflows that need to stay separate for privacy or account reasons share the same session or IP.
A CSP header might allow scripts only from the domain of the website itself, which blocks an injected script hosted on an outside attacker server.
A strong CSP reduces the damage an attacker can do even after finding another vulnerability. Sites that skip CSP leave themselves open to a wider range of injection attacks.
CSP blocks most script injection from unapproved sources, but a poorly configured policy can still leave gaps. It works best when combined with proper input handling.
A CSP that is too strict can block legitimate scripts or fonts. It needs careful testing before going live on a busy site.
Ready to put this into practice? Security Documentation
Start a free trial and test with real targets -- no credit card, no sales call.