Content Security Policy meta http-equiv
Set a Content Security Policy via meta http-equiv.
What is CSP?
Content Security Policy is a browser-enforced policy that restricts which resources a page can load and execute. It is the strongest defense against Cross-Site Scripting: even if an attacker injects a <script> tag, the browser refuses to run it unless the policy allows.
Two Ways to Deliver
CSP can be sent as an HTTP response header (Content-Security-Policy: ...) or as a meta tag in HTML: <meta http-equiv="Content-Security-Policy" content="...">. The header is preferred; the meta tag is useful when you cannot control the server.
<meta http-equiv="Content-Security-Policy"
content="default-src 'self'; script-src 'self' https://cdn.example.com">All lessons in this course
- Content Security Policy meta http-equiv
- XSS via innerHTML and How to Prevent It
- iframe Sandboxing and Permissions Policy
- HTTPS and Subresource Integrity