Compare CSP Files Online

What is CSP?

Content Security Policy (CSP) is a web security standard developed by the W3C, first introduced as a specification in 2012 (CSP Level 1), with CSP Level 2 and Level 3 following as the standard matured. CSP is implemented as an HTTP response header (Content-Security-Policy) or HTML meta tag that instructs browsers to restrict which resources — scripts, stylesheets, images, fonts, frames, and connections — a web page is allowed to load. By defining a whitelist of trusted content sources through directives like script-src, style-src, img-src, connect-src, and default-src, CSP provides a powerful defense against cross-site scripting (XSS), clickjacking, data injection, and other code injection attacks.

CSP is used by virtually every security-conscious web application, from banking platforms to social networks, and is recommended by OWASP as a fundamental web security control. The policy syntax uses directive-value pairs separated by semicolons, with sources specified as hostnames, schemes, nonces, or hashes. CSP reporting (report-uri and report-to directives) enables organizations to monitor policy violations without blocking, facilitating gradual rollout.

Modern CSP features include strict-dynamic for script trust propagation, nonce-based policies for inline scripts, and Trusted Types for DOM injection protection. Major browsers (Chrome, Firefox, Safari, Edge) fully support CSP Level 2, with Level 3 features progressively adopted. Security teams often maintain CSP configurations in dedicated files or configuration management systems, treating them as critical security infrastructure that requires the same review rigor as firewall rules.