Defaults.Exposed › Glossary › Content-Security-Policy (CSP)

Content-Security-Policy (CSP)

Also known as: CSP, Content Security Policy

A rulebook your site gives the browser listing exactly what code and content are allowed to run — the main defence against attackers injecting malicious scripts into your pages.

What it is

A Content-Security-Policy, or CSP, is a list of rules your website hands to the visitor’s browser saying which scripts, images, styles and other content are allowed to load and run — and, by implication, blocking everything else. It’s like giving the browser a guest list and telling it to turn away anyone not on it.

Why it matters to your business

One of the most common website attacks is sneaking malicious code into a page — through a comment box, a form, a hijacked plug-in, or a compromised third-party widget. Once that code runs in a visitor’s browser, it can steal logins, hijack sessions, skim card details at checkout, or deface the page.

A CSP is the seatbelt for this. Even if an attacker manages to slip code in, the browser refuses to run anything not on your approved list — so the attack fizzles instead of firing. For a business that takes payments or logins on its site, this is one of the highest-value protections you can add, and it costs nothing.

How to tell / what to do

Our free checker tells you whether your site sends a Content-Security-Policy and flags if it’s missing. Because a CSP lists your site’s specific content, it needs to be tailored — the CSP fix guide walks through building one carefully so it protects you without breaking anything your site legitimately uses. It’s free to set up.

Want to fix this on your own domain? See the free guide →