What is CSP
CSP is the HTTP header that blocks XSS, clickjacking, and unauthorized scripts. Content Security Policy is part of the browser-facing trust boundary. It shapes what the client is allowed to reveal, load, or trust before any backend incident response even starts.
If you are already working through HSTS and X-Frame-Options, this topic gives you the missing layer between the raw signal and the decision you have to make. For a live check, start with the CyberFurl security headers scan and then use the See the web security headers feature page to see where it fits in the wider CyberFurl workflow.
Anatomy of a CSP header
A CSP header is a collection of directives that tells the browser which origins and execution paths are allowed for different resource types. In practice the policy is only as strong as its most permissive directive, which is why teams need to read the whole header and not just confirm that one exists.
Key directives (default-src, script-src, style-src, etc.)
default-src sets the fallback, while specific directives such as script-src, style-src, img-src, and frame-ancestors tighten behavior for the resource types most likely to matter. The useful review question is not “how many directives do we have?” but “which ones are carrying the real risk on this application?”
nonce vs hash vs 'unsafe-inline'
Nonces and hashes let teams keep inline behaviors while still proving that the browser should trust a specific piece of code. unsafe-inline is the opposite: it tells the browser to stop making that distinction. That is why moving away from unsafe-inline is such a common milestone in a serious CSP rollout.
strict-dynamic
strict-dynamic changes how trust propagates once a nonce- or hash-trusted script starts loading other scripts. Used well, it can simplify modern script-heavy applications. Used carelessly, it can make a policy harder to reason about if the team does not understand which scripts are becoming trust anchors.
Reporting: report-uri, report-to
Reporting endpoints are what turn CSP from a static policy into a learning loop. They tell you which blocked loads and execution attempts the browser actually saw, which is essential during rollout. The mistake is treating reports as noise instead of triage input.
Rollout strategy: report-only → enforce
The safest CSP rollouts start in report-only mode, learn from real blocked behaviors, and then tighten toward enforcement with deliberate exceptions. Teams that jump straight to enforcement usually discover their real dependency map the hard way.
- 1
Measure the live response surface
Capture the real headers, certificate chain, and browser-facing behavior that define Content Security Policy in production. Development assumptions are not enough for internet-facing posture.
- 2
Tighten policy without breaking real traffic
Roll out the control in a staged way, especially if it changes browser execution, redirects, or certificate trust. The goal is durable enforcement, not a one-time header screenshot.
- 3
Validate in browser and scanners
Common pitfalls
Most failures around Content Security Policy are less about the standard and more about operations: copied examples, stale providers, undocumented exceptions, or rollout steps that were never verified from the outside.
These issues are easiest to catch when the review is evidence-led. Look at what the domain is really publishing or sending, then ask where the trust chain can be altered, bypassed, or silently downgraded.
- Missing ownership: nobody can clearly name which team or provider owns the live Content Security Policy behavior.
- Drift after change: a migration, proxy, vendor switch, or DNS edit quietly changed the result.
- Weak enforcement: the control exists, but the chosen value is too permissive to change risk meaningfully.
- No live verification: the rollout was declared done without checking what the public internet now sees.
How to fix or implement Content Security Policy
A good implementation plan for Content Security Policy starts with inventory, not with copying a sample policy. Teams need to know which providers, applications, mail paths, or DNS owners are already in the flow before they tighten anything.
From there the safe pattern is consistent: publish the smallest defensible change, validate the result from the outside, and keep monitoring after rollout so the control does not quietly regress after a vendor or infrastructure change. CyberFurl helps most when that validation is tied back to live evidence from CyberFurl security headers scan.
- 1
Measure the live response surface
Capture the real headers, certificate chain, and browser-facing behavior that define Content Security Policy in production. Development assumptions are not enough for internet-facing posture.
- 2
Tighten policy without breaking real traffic
Roll out the control in a staged way, especially if it changes browser execution, redirects, or certificate trust. The goal is durable enforcement, not a one-time header screenshot.
- 3
Validate in browser and scanners
Tools to check your Content Security Policy
Use the CyberFurl security headers scan when you want to see the live signal on a real domain, and then step back to the See the web security headers feature page when you need the wider workflow around posture, monitoring, or remediation. That combination is usually much more useful than reading the standard in isolation.
Further reading inside CyberFurl
- CyberFurl security headers scan
- See the web security headers feature
- HSTS
- X-Frame-Options
- CyberFurl public security report
Standards and references
Frequently asked questions
What's the difference between CSP1, CSP2, CSP3?
The version labels matter mainly because each generation added more expressive controls. CSP1 established the basic allowlist model, CSP2 improved nonce and hash use, and CSP3 added modern capabilities such as `strict-dynamic` and better framing controls. In real operations, the useful question is not which number sounds modern, but whether the live policy reflects current application behavior safely.