Utilumo
LightDarkSystem
Explainer1 min readUpdated June 29, 2026

What is a Content Security Policy (CSP)?

Short answer

A Content Security Policy (CSP) is an HTTP header that lists which sources a page may load scripts, styles, images, and other content from. It is a strong defense against cross-site scripting, because the browser blocks anything not on the list.

An allowlist for content

Without a policy, a browser will run any script a page contains, including one injected by an attacker. CSP flips that to an allowlist: you declare the trusted sources, and the browser refuses everything else.

Content-Security-Policy: default-src 'self'; object-src 'none'; frame-ancestors 'none'
A simple, strict policy

Common directives

  • default-src sets the fallback for other resource types
  • script-src controls where JavaScript can load from
  • style-src controls stylesheets
  • img-src, font-src, connect-src control images, fonts, and fetch/XHR
  • frame-ancestors controls who may embed your page in a frame

Source values

  • 'self' allows the page's own origin
  • 'none' blocks everything for that directive
  • A domain like https://cdn.example.com allows that host
  • A nonce or hash allows a specific inline script you trust
  • Avoid 'unsafe-inline', which largely defeats the protection
Roll it out in report-only mode firstUse Content-Security-Policy-Report-Only to see what a policy would block without breaking the site, then tighten and switch to enforcing.
Try it: CSP AnalyzerAnalyze a Content-Security-Policy and spot weak or missing directives locally.Open tool

References

Questions

Does a CSP replace input sanitization?

No. CSP is a second line of defense that limits the damage if something slips through. You still need to escape and validate untrusted input in your code.

Why is 'unsafe-inline' discouraged?

It allows any inline script or style, which is exactly what many cross-site scripting attacks rely on. Use nonces or hashes for the specific inline code you trust instead.

Does this send my data anywhere?

No. Utilumo's developer tools parse and transform input inside the browser tab. Nothing is uploaded, stored, or logged.

Keep reading