The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).
For more information, see also this article on Content Security Policy (CSP).
| Header type | Response header |
|---|---|
| Forbidden header name | no |
Syntax
Content-Security-Policy: <policy-directive>; <policy-directive>
Directives
Fetch directivesFetch directives control locations from which certain resource types may be loaded.