Content-Security-Policy Header

Table of Content

The Content-Security-Policy (CSP) HTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Response header. This added layer of security assists in detecting and mitigating certain types of attacks, like Cross Site Scripting (XSS) and data injection attacks.


Content-Security-Policy: policy-directive


Directives for the Content-Security-Policy header define the sources from which certain types of resources can be loaded. They include:

  • default-src: This directive applies to requests for which no relevant directive is defined. It acts as a fallback for these cases.
  • script-src: This defines the locations from which scripts can be loaded.
  • style-src: This designates the locations from which stylesheets can be loaded.
  • image-src: This specifies the locations from which images can be loaded.


Example of a simple CSP policy might look like this:

Content-Security-Policy: default-src 'self'; img-src *; 

In this case, the default policy is to only allow scripts and styles var 'img-src' from the same origin as the page.

Browser Compatibility

Browser Compatibility
Chrome Supported
Firefox Supported
Safari Supported
Opera Supported
Edge Supported

How to modify Content-Security-Policy header

ModHeader is a Chrome extension that allows users to modify HTTP request and response headers. To modify the Content-Security-Policy header using ModHeader:

  1. Install the ModHeader extension in your google chrome.
  2. Click on the ModHeader icon in your browser toolbar.
  3. Click 'Add' to add a new response header.
  4. Enter 'Content-Security-Policy' in the 'Name' field and input your policy in the 'Value' field. For example, you can input default-src 'self'; to accept only the scripts from the same origin.
  5. This setup will then apply your Content-Security-Policy every time an HTTP response is received.

ModHeader can be instrumental in testing different Content-Security-Policies in live environments, as it allows developers to modify headers on the fly without the need for server reconfiguration.