loading
Loading content
loading
Also known as CSP
A content security policy (CSP) is an HTTP response header, Content-Security-Policy, that lists the origins a browser may load scripts, styles, images, and other resources from. When the policy restricts scripts to a known set of sources and forbids inline execution, an injected <script> payload never runs, because the browser blocks anything outside the allowed list. CSP acts as a second line of defense after input handling.
This matters because CSP blunts xss, one of the most common web flaws and a fixture on the owasp top ten. A well-built policy turns a reflected-script bug from full account takeover into a blocked request logged in the console. A weak policy gives false comfort: directives like unsafe-inline, overly broad wildcards, or a missing object-src leave gaps an attacker exploits.
Reviewing CSP is a standard step in web application security assessment. Testers parse the header, flag permissive directives, and check whether the policy is enforced or only reported. CSP governs script trust the way tls/ssl governs transport trust.
In Trickest you can crawl a set of hosts, extract every CSP header, and grade each policy against a ruleset to surface the weakest configurations across a large estate.
Related terms