Securing your web app with CSP
A Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
By defining exactly which dynamic resources are allowed to load and execute, you severely neuter the impact of a compromised script. For example, if an attacker injects a malicious script tag, the browser will refuse to execute it unless the origin matches a whitelisted domain in your script-src directive.
You can deliver a CSP either via an HTTP response header (the preferred, most robust method) or via an HTML <meta> tag placed early in the `<head>` of your document.