HTTP security headers

Content-Security-Policy (CSP)

Why a Content-Security-Policy is the strongest browser-side defense against cross-site scripting, and how WebGuard flags a missing or weak one.

Last updated June 9, 2026

What it is

A Content-Security-Policy is a response header that tells the browser exactly which sources it may load scripts, styles, frames, and other content from. Anything outside that allow-list is blocked before it can run.

Why it matters

CSP is the most effective browser-side defense against cross-site scripting (XSS) and content injection, because it constrains where executable content can come from even if an attacker manages to inject markup. A missing policy removes that safety net entirely; an over-broad one (for example allowing `unsafe-inline` or `*`) provides little real protection, so the quality of the policy matters as much as its presence.

How WebGuard checks it

WebGuard reads the Content-Security-Policy header your public pages return and reports whether it is present and whether it is meaningfully restrictive. It is a read-only observation of headers your server already sends.

A sensible starting configuration:

Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'self'

Check this on your own domain

WebGuard reviews this alongside the rest of your external exposure in a single read-only pass. Run a free review, or see everything it covers.