Content Security Policy is a browser-enforced security mechanism that restricts which content sources a page may load or execute and helps reduce the impact of unsafe script behavior.
Content Security Policy, often called CSP, is a browser-enforced security mechanism that limits which sources a web page is allowed to load and execute. In plain language, it tells the browser which scripts, frames, styles, and similar resources are trusted enough to run on the page.
CSP matters because browsers automatically load and run a large amount of web content. If a page is allowed to execute content from unsafe or unexpected places, the application becomes much easier to abuse.
It also matters because CSP can reduce the impact of certain injection and content-loading problems when it is designed carefully and maintained consistently. It is one of the clearest examples of browser-side defense in depth for modern web applications.
Content Security Policy appears in web application hardening, frontend deployment review, Cross-Site Scripting defense, admin portal security, and single-page application design. Teams usually review it when they are managing trusted script sources, third-party content, or browser-side attack surface.
It connects closely to Output Encoding, Secure Coding, Session Management, Web Application Firewall, and Browser Isolation.
It is most useful when it is part of a broader web-security posture rather than treated as a single magic header.
A company operates an internal admin portal that uses a known set of script and frame sources. The team configures the application so the browser accepts content only from those approved locations and rejects unexpected inline execution by default. That does not erase the need to fix rendering bugs, but it can reduce the damage if unsafe content appears.
Content Security Policy is not a replacement for fixing Cross-Site Scripting issues. It is a protective layer, not a justification for leaving unsafe rendering or script handling in place.
It is also different from a Web Application Firewall. A WAF acts in front of the application, while CSP influences how the browser behaves after the page is delivered.
CSP is not a one-time hardening checkbox either. Web assets, third-party integrations, and application behavior change over time, so a policy that is never reviewed can become either too weak or too disruptive.