Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.
Although Content Security Policy first shipped in Firefox 4, that implementation, using the
X-Content-Security-Policy header, pre-dated the existence of a formal spec for CSP. Firefox 23 contains an updated implementation of CSP that uses the unprefixed
Content-Security-Policy header and the directives as described in the W3C CSP 1.0 spec.
Content Security Policy topics
- Introducing Content Security Policy
- An overview of what CSP is and how it can make your site more secure.
- CSP policy directives
- A reference to the CSP policy directives.
- Using Content Security Policy
- You can adjust the behavior of CSP by configuring policy sets. This lets you loosen and tighten security for individual types of resources, based on your site's needs. This article describes how to set up CSP, as well as how to enable it for your site.
- Using CSP violation reports
- How to use Content Security Policy violation reports to monitor attempts to attack your site and its users.
- Default CSP restrictions Obsolete since Gecko 15.0
- Details about the default restrictions enforced by CSP.