What is a Content Security Policy?

A Content Security Policy (CSP) is an HTTP header that specifies which sources of content (scripts, styles, images) are allowed to load on your page, preventing XSS attacks.

Will CSP break my site?

A misconfigured CSP can block legitimate scripts and styles. Start with Content-Security-Policy-Report-Only to log violations without blocking, then switch to enforcing mode.

What does default-src 'self' mean?

default-src 'self' means only allow resources to load from your own domain by default. You then add exceptions for specific external sources like CDNs or analytics.

← Blog

How to Add a Content Security Policy Header

security Feb 10, 2026 3 min read

What the CSP check tests

SiteCurl checks whether your server sends a Content-Security-Policy response header. If present, it also scans the policy for weaknesses like unsafe-inline and unsafe-eval that undermine the protection CSP is supposed to provide.

A Content Security Policy (CSP) is a whitelist of sources the browser is allowed to load resources from. If a script tries to load from a source not in the policy, the browser blocks it.

Why it matters

Cross-site scripting (XSS) is one of the most common web vulnerabilities. An attacker injects a malicious script into your page, and the browser executes it because it cannot tell the difference between your scripts and injected ones.

CSP solves this by telling the browser exactly which script sources are legitimate. Any script from an unlisted source gets blocked automatically. This makes XSS attacks significantly harder to exploit, even if your application has a vulnerability.

How to fix it

A starter policy

Begin with a restrictive policy and loosen it as needed:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'

This allows scripts and styles only from your own domain, images from your domain and HTTPS sources, and fonts from your own domain.

Common directives

default-src: Fallback for any resource type not explicitly listed
script-src: Where scripts can load from
style-src: Where stylesheets can load from
img-src: Where images can load from
connect-src: Where fetch/XHR/WebSocket can connect to
font-src: Where fonts can load from
frame-src: Where iframes can load from

Using nonces instead of unsafe-inline

If your site uses inline scripts, replace unsafe-inline with nonces:

Content-Security-Policy: script-src 'self' 'nonce-abc123'

Then add the nonce to each inline script tag:

<script nonce="abc123">// your code</script>

Generate a unique nonce for each page load. Most server frameworks have built-in support for CSP nonces.

Start with report-only mode

If you are unsure your policy is correct, use Content-Security-Policy-Report-Only first. This logs violations without blocking anything, so you can identify what needs to be whitelisted before enforcing.

How to verify the fix

Check headers with curl:

curl -sI https://yoursite.com | grep -i content-security-policy

Run a SiteCurl scan to check for CSP presence and common weaknesses.

CSP works alongside HTTPS/HSTS and cookie security as part of a defense-in-depth security strategy.

Start a free trial to audit your security headers.

More on security

How to Fix Missing Security Headers

security Mar 3, 2026

How to Secure Cookies with HttpOnly, Secure, and SameSite

security Feb 12, 2026

How to Fix Mixed Content Warnings on HTTPS Sites

security Feb 11, 2026

Check your site for security gaps

Scan for HTTPS issues, missing headers, mixed content, and more.

Start 7-Day Studio Trial

No credit card required.

← Back to blog