SiteAlertAI SiteAlertAI
⬡ Web Scan 🔒 SSL/TLS 📬 MX Record ✉ Email Header 🎣 URL Check 🌍 IP Geo
⬡ Web Scan 🔒 SSL/TLS 📬 MX Record ✉ Email Header 🎣 URL Check 🌍 IP Geo
← All guides

Content-Security-Policy Explained (and How to Fix a Weak One)

A Content-Security-Policy (CSP) is a response header that tells the browser which sources of scripts, styles, images and other resources are allowed. A good CSP is one of the strongest defences against cross-site scripting (XSS).

Presence is not enough

A header of default-src *; script-src 'unsafe-inline' technically exists but blocks almost nothing. Effectiveness depends on the directives, not merely on having the header. 'unsafe-inline' in script-src largely defeats the policy because it re-allows the inline scripts XSS relies on.

What a strong policy looks like

Define default-src 'self', restrict script-src to 'self' plus a nonce or hash, set object-src 'none' and base-uri 'self', and add frame-ancestors to stop clickjacking. Using a per-response nonce with 'strict-dynamic' lets modern browsers ignore 'unsafe-inline' safely.

Migrating without breaking the site

Start with Content-Security-Policy-Report-Only to collect violations without enforcing, fix the reported inline scripts by moving them to files or adding nonces, then switch to the enforcing header once the reports are clean.

🛰 Grade your CSP →

Related guides

  • What Is HSTS and How Do I Enable It?
  • Mixed Content: Why Your HTTPS Padlock Breaks
  • CAA Records: Control Which CAs Can Issue Your Certificates
SiteAlertAI · © 2026 All rights reserved · Built for security professionals and developers.
Blog Guides Privacy Terms About Contact Social

⚠ For authorised security testing only. Scanning domains you do not own may violate laws in your jurisdiction. SiteAlertAI accepts no liability for misuse. CVE data is indicative — verify with NVD.