Skip to main content
Vantyris

Headers

Content Security Policy: the header that stops most XSS attacks dead.

Published 2026-05-12 · Last updated 2026-05-12 · Vantyris editorial

Content Security Policy (CSP) is a header your site sends that tells the browser which scripts, styles, fonts, and images are allowed to load. Without it, any script injected into your page through a compromised plugin or a clever XSS bug can execute and exfiltrate data. With it, the browser refuses to run anything from a source you haven't explicitly allowed. CSP is the single header that prevents the most common class of website attacks.

What this means for your business

How to fix

Start with `Content-Security-Policy-Report-Only` (observe mode), watch the browser report violations for a week, fix the policy until clean, then switch to the enforcing `Content-Security-Policy` header.

  1. Audit what your site already loads. Open your site in Chrome DevTools → Network. Note every domain your site fetches scripts, styles, fonts, images, and frames from. Common ones: Google Fonts, Stripe, your CDN, analytics, embedded YouTube.
  2. Draft a basic policy. A reasonable starting point: `default-src 'self'; script-src 'self' https://js.stripe.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'none'; form-action 'self'`. Adjust the third-party domains to match your stack.
  3. Deploy in report-only mode first. Send the header as `Content-Security-Policy-Report-Only` (note the suffix). The browser logs violations to console but doesn't block anything. Run your site through normal use for a week and watch the console for `Refused to load` messages. Each one tells you a domain your policy missed.
  4. Tighten the policy until clean. Add the missing domains to the relevant directive. Or — better — refactor the site to use fewer external services. Each `https://` allowance in your CSP is a tradeoff.
  5. Switch to enforcing mode. Rename the header from `Content-Security-Policy-Report-Only` to `Content-Security-Policy`. Now the browser enforces.

Owner: Your developer or web host. · Time: 1-2 hours of audit + 1 week of observe-mode + 30 minutes to flip on.

Common gotchas

How to verify the fix

Run a Vantyris scan; it checks for the presence of CSP and flags the most common weaknesses (unsafe-inline, unsafe-eval, missing default-src). Or run your site through observatory.mozilla.org for a detailed CSP grade.

Cyber Essentials alignment

This finding informs the following UK NCSC Cyber Essentials control areas:

Vantyris is not a CE certifying body. The mapping above is informational.

Common follow-up questions

Do I need CSP if I have HTTPS?

Yes. HTTPS encrypts the connection. CSP controls what code runs on the page. Different protections, different threats.

Will CSP break my analytics?

Only if your analytics is on a domain you didn't allow. Add the analytics domain to `script-src` and `connect-src` and it works fine.

What's the difference between CSP and Permissions-Policy?

CSP controls what code runs. Permissions-Policy controls what browser features (camera, microphone, geolocation, etc.) the page can use. Different headers, complementary.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0