What is a Content Security Policy?

Published on June 24, 2021

A Content Security Policy (CSP) is a mechanism for web developers to increase the security of their websites. By setting a Content Security Policy, web developers can instruct web browsers to only load resources from certain trusted domains, enforce secure HTTPS connections, and even report policy violations as they occur. This can prevent many content injection and cross-site scripting (XSS) vulnerabilities, which often lead to data leaks, website vandalism, and malware distribution.

Policies are transmitted to the web browser by either setting the Content-Security-Policy HTTP header, or including a <meta http-equiv="Content-Security-Policy" ... > tag in the HTML source of the site. The actual policy data is a text string, made up of one or more directives that specify the desired restrictions and configurations.

To find out more about Content Security Policies, and their implementation in production applications, please refer to the following resources:

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the author

Brian Boucheron

Author

See author profile

Senior Technical Writer at DigitalOcean

Category:

Tags:

Still looking for an answer?

Ask a question Search for more help

Was this helpful?

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

P aarna

June 24, 2021

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.