// Tutorial //

What is a Content Security Policy?

Published on June 24, 2021
Default avatar
By Brian Boucheron
Developer and author at DigitalOcean.
What is a Content Security Policy?

A Content Security Policy (CSP) is a mechanism for web developers to increase the security of their websites. By setting a Content Security Policy, web developers can instruct web browsers to only load resources from certain trusted domains, enforce secure HTTPS connections, and even report policy violations as they occur. This can prevent many content injection and cross-site scripting (XSS) vulnerabilities, which often lead to data leaks, website vandalism, and malware distribution.

Policies are transmitted to the web browser by either setting the Content-Security-Policy HTTP header, or including a <meta http-equiv="Content-Security-Policy" ... > tag in the HTML source of the site. The actual policy data is a text string, made up of one or more directives that specify the desired restrictions and configurations.

To find out more about Content Security Policies, and their implementation in production applications, please refer to the following resources:


Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in our Questions & Answers section, find tutorials and tools that will help you grow as a developer and scale your project or business, and subscribe to topics of interest.

Sign up
About the authors
Default avatar
Developer and author at DigitalOcean.

Still looking for an answer?

Was this helpful?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.