Content Security Policy (CSP)

Content Security Policy (CSP)

Content-Security-Policy HTTP response header helps you reduce risks like XSS, data injection attacks, and ClickJacking.

Content-Security-Policy(HTTP response header) used by modern browsers to enhance the security of the web page.

How to Enable CSP- We can enable CSP in two ways -:1. FROM SERVER WITH RESPONSE HEADER
2. SET AS META TAG

FROM SERVER WITH RESPONSE HEADER Configure your webserver to return the Content-Security-Policy HTTP header

**SET AS META TAG

**<meta http-equiv=”Content-Security-Policy” content=**CSP Directive Reference**>  
**ex**\- <meta http-equiv=”Content-Security-Policy” content=”default-src ‘self’; img-src [https://\*;](https://*;) ”>

CSP Directive References

default-src— Directive defines the default policy for fetching resources such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media.
Allow everything but only from the same origin default-src ‘self’;

script-src — Only Allow Scripts from the same origin — script-src ‘self’;

style-src — Only Allow styles from the same origin — style-src ‘self’;

img-src- Only Allow images from the same origin — img-src ‘self’;

There are many more which you can refer to from here

Allow from trusted Domain Content-Security-Policy: default-src ‘self’ dominName *.domainName

Content load using TLS- Content-Security-Policy: default-src https://domainNAME

Allow HTML in emails and images from anywhere, but not other potentially dangerous content

Happy Learning…👏👏