Inspect a Content Security Policy Header

Content Security Policy (CSP) is the most powerful browser-enforced defense against Cross-Site Scripting (XSS) attacks. Without a CSP, a single XSS vulnerability allows an attacker to execute arbitrary JavaScript in the victim's browser — stealing session cookies, capturing keystrokes, making authenticated API requests, or redirecting to phishing pages. A well-crafted CSP drastically limits what injected scripts can do and often prevents XSS exploitation entirely by blocking unauthorized script sources. This example shows a production-realistic CSP with multiple directives. default-src 'self' is the fallback that applies to any resource type without its own explicit directive — restricting everything to the same origin by default. script-src extends the default to also allow scripts from a specific CDN domain and scripts with a specific nonce attribute (for inline scripts that are explicitly approved). style-src allows the same origin and unsafe-inline (a common compromise for stylesheets since CSS injection is lower risk than script injection). img-src allows same-origin images, data: URIs (for inline SVG/base64 images), and all HTTPS sources. The nonce-based approach in script-src 'nonce-abc123' is important: by generating a random nonce on each request and including it in both the CSP header and the script tag (<script nonce="abc123">), you can allow specific inline scripts while blocking any inline scripts an attacker might inject (which won't have the correct nonce). This is the recommended alternative to 'unsafe-inline'. frame-ancestors 'none' prevents your page from being embedded in an iframe on any domain, mitigating clickjacking attacks where attackers overlay your page with a transparent iframe to trick users into clicking buttons they can't see. This is the modern replacement for the X-Frame-Options: DENY header. base-uri 'self' prevents attackers from injecting a <base> tag that redirects all relative links to an attacker-controlled domain. form-action 'self' restricts where form submissions can go, preventing form hijacking. The Permissions-Policy header (shown in the example) controls access to browser APIs like camera, microphone, and geolocation. Setting camera=(), microphone=(), geolocation=() disables these APIs entirely on your page, reducing the attack surface if XSS does occur. Deployment strategy: always deploy CSP in report-only mode first using Content-Security-Policy-Report-Only header with a report-uri endpoint. Monitor the reports for violations caused by legitimate resources (analytics scripts, fonts, embedded content) and add those sources to the policy before switching to enforcement mode. Enforcing a CSP without testing in report-only mode almost always breaks legitimate functionality.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com 'nonce-abc123'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()