CSP
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/glossary/csp/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>
Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/glossary/csp/
Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/glossary/csp/)
Use the native HTML custom element.
التعريف
سياسة أمان المحتوى. رأس HTTP يحدد مصادر المحتوى (النصوص البرمجية والأنماط والصور) المسموح للمتصفح بتحميلها لصفحة معينة، مما يوفر دفاعاً قوياً ضد هجمات XSS وحقن البيانات.
The Threat CSP Addresses
Cross-Site Scripting (XSS) attacks inject malicious scripts into trusted pages. Even with input sanitization, a single vulnerability can execute arbitrary JavaScript in a victim's browser. Content Security Policy provides a second line of defense by declaring, at the HTTPSHTTP Secure. The encrypted version of HTTP that uses TLS to protect data in transit between a browser and a web server. Identified by the padlock icon in browsers and the https:// URL scheme. response level, which sources of content are permitted to load and execute.
Directive Syntax and Policy Design
A CSP header uses directives to control resource categories: script-src governs JavaScript, style-src controls CSS, img-src handles images, connect-src restricts REST APIRepresentational State Transfer Application Programming Interface. An architectural style for web services that uses standard HTTP methods (GET, POST, PUT, DELETE) and stateless communication to manipulate resources identified by URLs. and WebSocketA communication protocol that provides full-duplex, persistent connections between a browser and server over a single TCP connection. Ideal for real-time applications like chat, live dashboards, and multiplayer games. fetch targets. A strict baseline — default-src 'self' — blocks all external resources unless explicitly allowed. Content-Security-Policy-Report-Only mode lets you test a policy and collect violation reports without breaking functionality.
Interaction with Modern Web Features
Service WorkerA JavaScript script that runs in the background of a browser, separate from the web page, enabling features like offline caching, push notifications, and background sync. The foundation of Progressive Web Apps (PWAs). registration URLs must appear in script-src or the worker will be blocked. HTTP/2The second major version of HTTP, introducing multiplexed streams, header compression (HPACK), and server push over a single TCP connection. HTTP/2 significantly improves page load performance compared to HTTP/1.1. server push can deliver CSP headers alongside resources, but pushed resources still must comply with the policy. Inline scripts require either a cryptographic nonce (a unique value per response) or a hash of the script content — the 'unsafe-inline' allowance should be avoided. CSP violation reports, sent to a report-uri endpoint, provide real-world telemetry on attempted attacks and misconfigured policies. Combining CSP with HSTSHTTP Strict Transport Security. A web security policy mechanism that instructs browsers to only access a site over HTTPS, preventing protocol downgrade attacks and cookie hijacking. Configured via the Strict-Transport-Security response header. and proper SSL/TLSSecure Sockets Layer / Transport Layer Security. Cryptographic protocols that provide encrypted, authenticated communication over a network. SSL is deprecated; modern implementations use TLS 1.2 or TLS 1.3. configuration creates a robust browser-level security envelope.