Back to HTTP Headers
Response

HTTP Content-Security-Policy (CSP) Header

Controls which resources the browser is allowed to load. A critical security header that prevents XSS and data injection attacks.

Purpose

Enhances website security by defining approved sources of content that the browser can load, preventing cross-site scripting attacks.

Content-Security-Policy: <policy-directive> <source> Example: Content-Security-Policy: default-src 'self' Example: Content-Security-Policy: script-src 'self' https://apis.google.com; img-src 'self' data:

Code Examples

See how to use the Content-Security-Policy (CSP) header in different tools and languages.

curl -I https://example.com
# Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'

Related Headers

Strict-Transport-Security (HSTS)

Tells the browser to only communicate with the server over HTTPS, never HTTP. Protects against protocol downgrade attacks.

Test Your APIs

API Response Time Checker

Test your APIs and inspect response headers in real-time

HTTP Headers Reference

Complete reference of all HTTP request and response headers

content-security-policy headerhttp content-security-policyhttp headers guide