WHAT IS CONTENT SECURITY POLICY (CSP)
Content Security Policy (CSP) is an HTTP response header that prevents cross-site scripting (XSS) attacks by specifying which content sources the browser is allowed to load. It controls where scripts, styles, images, fonts, and other resources can be loaded from. To check if your website has a proper CSP, scan it for free at scanmyvibe.co/scan.
Check your website now with ScanMyVibe — 150+ checks, AI fix prompts, no signup.
Why CSP Matters
Cross-site scripting (XSS) is consistently in the OWASP Top 10 most critical web application security risks. CSP is the primary defense against XSS. Without a CSP header, an attacker who finds an XSS vector can inject arbitrary scripts that steal cookies, redirect users, or exfiltrate data. A proper CSP restricts which scripts the browser will execute.
- +Prevents inline script execution (blocks most XSS attacks)
- +Restricts script sources to trusted domains only
- +Blocks loading of unauthorized resources
- +Provides violation reporting for monitoring
- +Required for compliance with many security standards
CSP Directive Reference
A CSP header consists of directives that control different resource types:
- +default-src — Fallback policy for all resource types
- +script-src — Controls JavaScript sources
- +style-src — Controls CSS sources
- +img-src — Controls image sources
- +connect-src — Controls fetch, XMLHttpRequest, WebSocket targets
- +font-src — Controls web font sources
- +frame-src — Controls iframe sources
- +report-uri / report-to — Where to send CSP violation reports
Common CSP Mistakes
Many websites add a CSP header but configure it incorrectly. Common mistakes include using unsafe-inline (which defeats the purpose), setting overly permissive wildcards, or forgetting to restrict frame-ancestors. ScanMyVibe performs deep CSP analysis and flags these issues with specific fix prompts.