Defending Against XSS Using CSP (script-src)

Content Security Policy (CSP) is one of the most powerful defences against Cross-Site Scripting (XSS) attacks. The script-src directive controls which scripts are permitted to execute in the browser, effectively blocking injected malicious scripts even if an attacker manages to inject content into your page. Key script-src approaches: nonce-based CSP: A cryptographically random nonce is generated per request and embedded in both the HTTP header and script tags. Only scripts with matching nonces execute. This is the recommended approach for dynamic applications. hash-based CSP: A SHA hash of allowed inline scripts is included in the header. Suitable for static inline scripts that don't change. strict-dynamic: Allows scripts loaded by trusted scripts to also execute, simplifying CSP deployment in complex SPAs. Avoid unsafe-inline and unsafe-eval at all costs — these negate most XSS protections. A well-configured script-src policy significantly reduces your XSS attack surface and is a critical layer in any defence-in-depth web security strategy.