What is the main goal of a Content Security Policy (CSP)?
CSP: an HTTP header that declares trusted sources for scripts, styles, images, and more, reducing the impact of cross-site scripting and injection attacks.
2 / 5
What does script-src 'self' permit?
self: allows resources from the document's own origin (same scheme, host, and port). Inline scripts and remote CDNs are blocked unless explicitly allowed.
3 / 5
Why use a nonce or hash in a CSP?
Nonce/hash: a per-response random nonce or a content hash lets the browser execute exactly the intended inline script while still blocking attacker-injected inline code.
4 / 5
What does the report-uri / report-to directive do?
Reporting: instructs the browser to POST a JSON report whenever the policy is violated, which is invaluable for tuning a policy before enforcing it.
5 / 5
What is the effect of Content-Security-Policy-Report-Only?
Report-Only mode: evaluates the policy and emits reports but does not enforce it, letting you safely test a new policy in production before switching to enforcement.