Content Security Policy: Best Practices
A strict CSP limits where code and content can load from and blocks injection.
Principles
- Prefer nonces/hashes over 'unsafe-inline'.
- Avoid wildcards; scope sources precisely (schemes, hosts, paths).
- Separate third‑party content (subdomains/sandbox) and disallow eval.
- Use frame-ancestors instead of X-Frame-Options.
- Log violations (report-to / report-uri) and iterate.
Rollout without breakage
- Ship in Report‑Only first; fix violations; then enforce.
- Inventory third‑party resources and gate them behind nonces/hashes.
- Pin expected connections with connect-src.