Content Security Policy

code injection attacks by implementing the Content Security Policy (CSP) header

Prevent XSS, clickjacking, code injection attacks by implementing the Content Security Policy (CSP) header in your web page HTTP response. CSP instruct browser to load allowed content to load on the website.

All browsers don’t support CSP, so you got to verify before implementing it. There are three ways you can achieve CSP headers.

  • Content-Security-Policy – Level 2/1.0
  • X-Content-Security-Policy – Deprecated
  • X-Webkit-CSP – Deprecated

If you are still using the deprecated one, then you may consider upgrading to the latest one.

There are multiple parameters possible to implement CSP, and you can refer to OWASP for an idea. However, let’s go through the two most used parameters.

Parameter ValueMeaning
default-srcLoad everything from a defined source
script-srcLoad only scripts from a defined source

The following example of loading everything from the same origin in various web servers.


Get the following added in httpd.conf file and restart the webserver to get effective.

Header set Content-Security-Policy "default-src 'self';"


Add the following in the server block in nginx.conf file

add_header Content-Security-Policy "default-src 'self';";

Microsoft IIS

Go to HTTP Response Headers for your respective site in IIS Manager and add the following

Check out this to implement frame-ancestors using CSP. This is an advanced version of X-Frame-Options.

Scroll to Top