0Pricing
HTML Academy · Lesson

Content Security Policy meta http-equiv

Set a Content Security Policy via meta http-equiv.

What is CSP?

Content Security Policy is a browser-enforced policy that restricts which resources a page can load and execute. It is the strongest defense against Cross-Site Scripting: even if an attacker injects a <script> tag, the browser refuses to run it unless the policy allows.

Two Ways to Deliver

CSP can be sent as an HTTP response header (Content-Security-Policy: ...) or as a meta tag in HTML: <meta http-equiv="Content-Security-Policy" content="...">. The header is preferred; the meta tag is useful when you cannot control the server.

<meta http-equiv="Content-Security-Policy"
  content="default-src 'self'; script-src 'self' https://cdn.example.com">

All lessons in this course

  1. Content Security Policy meta http-equiv
  2. XSS via innerHTML and How to Prevent It
  3. iframe Sandboxing and Permissions Policy
  4. HTTPS and Subresource Integrity
← Back to HTML Academy