Content-Security-Policy Explained (and How to Fix a Weak One)
A Content-Security-Policy (CSP) is a response header that tells the browser which sources of scripts, styles, images and other resources are allowed. A good CSP is one of the strongest defences against cross-site scripting (XSS).
Presence is not enough
A header of default-src *; script-src 'unsafe-inline' technically exists but blocks almost nothing. Effectiveness depends on the directives, not merely on having the header. 'unsafe-inline' in script-src largely defeats the policy because it re-allows the inline scripts XSS relies on.
What a strong policy looks like
Define default-src 'self', restrict script-src to 'self' plus a nonce or hash, set object-src 'none' and base-uri 'self', and add frame-ancestors to stop clickjacking. Using a per-response nonce with 'strict-dynamic' lets modern browsers ignore 'unsafe-inline' safely.
Migrating without breaking the site
Start with Content-Security-Policy-Report-Only to collect violations without enforcing, fix the reported inline scripts by moving them to files or adding nonces, then switch to the enforcing header once the reports are clean.