Security also: Content Security Policy

CSP

HTTP header that whitelists which origins can load scripts, styles, frames.

In plain terms

The single most effective XSS mitigation when configured strictly. nonce or hash-based for inline scripts.

Origin

CSP Level 1 (W3C, 2012). Hash and nonce-based CSP arrived in Level 2 (2016); strict-dynamic in Level 3. The single biggest XSS mitigation when configured strictly — Google has used it across its products since 2016.

Where it shows up in production

Google services Strict CSP with nonces across Search, Gmail, Drive. Documented in their 2016 engineering blog.
GitHub CSP with nonce-source for inline scripts. Cut their XSS reports dramatically after deployment.

Sources & further reading

Article web.dev — Strict CSP
RFC CSP Level 3 spec
Docs Google Security — Adopting a strict CSP

Found this useful?