CSP
CSP is the acronym for Content Security Policy.
Content Security Policy
A computer security standard was introduced to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from executing malicious content in the trusted web page context. It specifies trusted sources of content for a web page, reducing or altogether eliminating the risk of these types of attacks.
The CSP standard allows web administrators to send an HTTP response header named Content-Security-Policy
, specifying the sources from which the browser is allowed to load content. The browser does not load or run any sources not explicitly mentioned in the CSP. This includes scripts, styles, images, media, frames, fonts, etc.
Mozilla first proposed the CSP concept in 2004. The initial concept was intended to mitigate persistent XSS vulnerabilities, a common web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. Over time, the concept was refined and expanded to cover more content types and provide more granular control over policies.
CSP is beneficial because it acts as an extra layer of security that can mitigate the impact of other security vulnerabilities in web applications, such as injection flaws. It doesn’t replace good coding practices or other security measures but provides an additional layer of defense.
Although support for specific features can vary, CSP is widely supported in modern browsers, including Google Chrome, Firefox, Safari, and Microsoft Edge.
- Abbreviation: CSP