IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. HTTP Security Headers
  3. Content-Security-Policy

HTTP security header

Content-Security-Policy

The Content-Security-Policy (CSP) header lets a site declare approved sources for scripts, styles, images, and other content. A strict CSP is a powerful defense-in-depth measure against cross-site scripting: even if an attacker injects markup, the browser refuses to execute disallowed scripts. CSP mitigates impact but does not replace correct output encoding.

Example

Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'none'

Configuration guidance

  • Prefer a strict, nonce- or hash-based policy over allowlisting hosts.
  • Avoid 'unsafe-inline' and 'unsafe-eval', which defeat much of CSP's value.
  • Set object-src 'none' and base-uri 'none' to close common bypasses.
  • Roll out with Content-Security-Policy-Report-Only first to catch breakage.

Helps mitigate

Cross-Site Scripting (XSS)

Related headers

X-Content-Type-OptionsX-Frame-OptionsCross-Origin-Resource-Policy
MDN: CSP

Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.

Test my app
← All security headers
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub