CSP Explained: A Practical Guide to Content Security Policy

CSP explained clearly: what Content Security Policy is, which directives matter, how to deploy it safely, and how to monitor it so it never silently breaks.

1 June 2026·Uptrue Team

CSP Explained: A Practical Guide to Content Security Policy

By Krithi

If you've ever opened your browser's developer console and seen a wall of Content-Security-Policy violations, or inherited a codebase where someone just set default-src * and called it a day, you already know the problem. Content Security Policy is one of the most powerful browser security mechanisms available — and one of the most routinely misunderstood. This guide cuts through the noise and gives you a clear, working understanding of what CSP does, how to write a sensible policy, and how to keep it healthy over time.

What Is Content Security Policy?

Content Security Policy (CSP) is an HTTP response header that tells the browser which sources of content — scripts, stylesheets, images, fonts, frames, and more — are allowed to load on a given page. Any resource that doesn't match the policy is blocked before it can execute or render.

The core idea is straightforward: instead of relying solely on the server to serve clean content, you explicitly whitelist what's permitted. This creates a strong second line of defence against cross-site scripting (XSS), clickjacking, mixed-content injection, and data exfiltration attacks.

CSP is delivered as a response header:

` Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; object-src 'none' `

Or, during development and rollout, as a report-only header that logs violations without blocking anything:

` Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-reports `

The browser interprets the header, enforces (or observes) the policy, and — if you've set up a reporting endpoint — sends JSON violation reports whenever something is blocked.

Why CSP Matters for Real-World Security

XSS remains one of the most common web vulnerabilities. An attacker who finds a way to inject arbitrary HTML or JavaScript into your page can steal session cookies, capture form inputs, redirect users, or silently beacon data to an external server.

A well-crafted CSP doesn't eliminate XSS bugs in your code, but it severely limits what an attacker can do with them. Even if malicious JavaScript is injected, the browser won't execute it if the script source isn't explicitly permitted. That's a meaningful reduction in blast radius.

Beyond XSS, CSP also:

Blocks mixed content — prevents HTTP resources from loading on HTTPS pages, protecting transport-layer security.

Prevents clickjacking — the frame-ancestors directive replaces the older X-Frame-Options header and gives you more granular control.

Limits data exfiltration — connect-src restricts where JavaScript can send data via fetch, XMLHttpRequest, and WebSockets.

!Diagram showing how a browser enforces CSP directives to block unauthorised scripts and connections

CSP Directives You Actually Need to Know

The CSP specification has dozens of directives, but most policies rely on a manageable subset.

Fetch Directives

These control where resources can be loaded from:

| Directive | Controls | |---|---| | default-src | Fallback for all resource types not explicitly listed | | script-src | JavaScript, including inline scripts and eval() | | style-src | Stylesheets and inline styles | | img-src | Images and favicons | | font-src | Web fonts | | connect-src | Fetch, XHR, WebSocket, EventSource | | frame-src | </code> sources | | <code>object-src</code> | Plugins (<code><object></code>, <code><embed></code>, <code><applet></code>) — set to <code>'none'</code> unless you have a genuine need | | <code>media-src</code> | Audio and video | | <code>worker-src</code> | Web Workers and Service Workers | | <code>manifest-src</code> | Web App Manifests |</p> <h3>Navigation Directives</h3> <ul><li><code>form-action</code> — restricts where <code><form></code> submissions can go. Often overlooked, but important.</li></ul> <ul><li><code>frame-ancestors</code> — controls which origins can embed your page in a frame. Replaces <code>X-Frame-Options</code>.</li></ul> <h3>Reporting Directives</h3> <ul><li><code>report-uri</code> (legacy, still widely supported) — a URL to which the browser POSTs violation reports.</li></ul> <ul><li><code>report-to</code> (newer, part of the Reporting API) — references a named endpoint defined in the <code>Reporting-Endpoints</code> header.</li></ul> <hr/> <h2>Source Values and Keywords</h2> <p>Within each directive, you specify one or more source expressions:</p> <ul><li><strong><code>'self'</code></strong> — same origin only. The single quotes are required.</li></ul> <ul><li><strong><code>'none'</code></strong> — nothing is allowed.</li></ul> <ul><li><strong><code>https://cdn.example.com</code></strong> — a specific origin.</li></ul> <ul><li><strong><code>https:</code></strong> — any HTTPS URL (broad; use sparingly).</li></ul> <ul><li><strong><code>'unsafe-inline'</code></strong> — allows inline <code><script></code> and <code><style></code> blocks. Substantially weakens the policy.</li></ul> <ul><li><strong><code>'unsafe-eval'</code></strong> — allows <code>eval()</code>, <code>new Function()</code>, and similar dynamic code execution.</li></ul> <ul><li><strong><code>'nonce-<base64>'</code></strong> — allows a specific inline script or style tagged with a matching <code>nonce</code> attribute. Regenerated per request.</li></ul> <ul><li><strong><code>'sha256-<hash>'</code></strong> — allows an inline resource whose content matches a specific SHA hash.</li></ul> <p>The goal of a mature CSP is to avoid <code>'unsafe-inline'</code> and <code>'unsafe-eval'</code> entirely. If you have legacy inline scripts you can't immediately refactor, nonces or hashes give you a path to safety without a wholesale rewrite.</p> <hr/> <h2>Building Your First Meaningful Policy</h2> <p>Don't try to write a perfect policy from scratch. The practical approach:</p> <ol><li><strong>Start in report-only mode.</strong> Deploy <code>Content-Security-Policy-Report-Only</code> with a reasonably strict policy and a <code>report-uri</code> endpoint. Collect real violation data from your actual traffic.</li><li><strong>Analyse violations.</strong> Group them by directive and source. Distinguish legitimate third-party resources (analytics, fonts, CDN assets) from genuine policy gaps.</li><li><strong>Refine and promote.</strong> Once violations settle to background noise, move the policy to the enforcing <code>Content-Security-Policy</code> header.</li><li><strong>Iterate.</strong> Every time you add a new third-party integration, widget, or CDN, revisit the policy.</li></ol> <p>A reasonable starting point for a modern web application:</p> <p><code>`</code> Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{RANDOM}' https://www.googletagmanager.com; style-src 'self' 'nonce-{RANDOM}' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://api.example.com; frame-ancestors 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests; report-uri /csp-violations <code>`</code></p> <p>Note <code>base-uri 'self'</code> — this blocks <code><base></code> tag injection, which can otherwise redirect all relative URLs. It's cheap insurance.</p> <hr/> <h2>Common CSP Mistakes to Avoid</h2> <p><strong>Wildcard sources.</strong> <code>script-src <em></code> or <code>default-src </em></code> defeats the purpose entirely. You might as well not have a policy.</p> <p><strong>Forgetting <code>object-src</code>.</strong> If <code>default-src</code> is set but <code>object-src</code> isn't explicitly listed, Flash and plugin-based exploits remain possible. Always set <code>object-src 'none'</code>.</p> <p><strong>Trusting entire CDN domains.</strong> <code>script-src https://cdn.jsdelivr.net</code> allows <em>any</em> file on that CDN — including attacker-controlled packages. Where possible, use Subresource Integrity (SRI) hashes alongside your CSP.</p> <p><strong>Deploying without a reporting endpoint.</strong> Without violation reports, you're flying blind. You won't know when a new deployment or third-party update breaks your policy.</p> <p><strong>Never revisiting the policy.</strong> CSP decays over time. Third-party scripts change their domains, new features get added, and whitelisted sources no longer serve anything. A stale policy is either too permissive or quietly breaking things for users.</p> <hr/> <h2>Monitoring Your CSP Health Continuously</h2> <p>Writing a CSP is a one-time effort. Keeping it correct is an ongoing operational concern — and that's where automated monitoring pays for itself.</p> <p>Uptrue's <a href="/monitoring/security-headers" target="_blank" rel="noopener noreferrer">security headers monitoring</a> checks your CSP (and other critical headers like <code>Strict-Transport-Security</code>, <code>X-Frame-Options</code>, and <code>Permissions-Policy</code>) on a scheduled basis and alerts you the moment a header disappears or changes unexpectedly. If a deployment accidentally strips your <code>Content-Security-Policy</code> header, you'll know within minutes rather than discovering it in a post-incident review.</p> <p>You can also cross-reference your CSP posture alongside your <a href="/monitoring/ssl-certificates" target="_blank" rel="noopener noreferrer">SSL certificate monitoring</a> to get a complete picture of your site's transport and content security at a glance.</p> <hr/> <h2>🔎 Check Your Headers Right Now</h2> <p>Curious how your site's CSP looks to the outside world? Run a free scan using <a href="/tools/security-headers-checker" target="_blank" rel="noopener noreferrer">Uptrue's Security Headers Checker</a> — no account required. You'll see exactly which headers are present, which are missing, and where your policy can be tightened.</p> <hr/> <h2>CSP and the Broader Security Headers Picture</h2> <p>CSP is the most complex of the common security headers, but it doesn't operate in isolation. A complete security headers posture includes:</p> <ul><li><strong><code>Strict-Transport-Security</code> (HSTS)</strong> — forces HTTPS connections, even if a user types <code>http://</code>.</li></ul> <ul><li><strong><code>X-Content-Type-Options: nosniff</code></strong> — prevents MIME-type sniffing attacks.</li></ul> <ul><li><strong><code>Referrer-Policy</code></strong> — controls how much referrer information is sent with outbound requests.</li></ul> <ul><li><strong><code>Permissions-Policy</code></strong> — restricts which browser APIs (camera, microphone, geolocation) scripts can access.</li></ul> <ul><li><strong><code>X-Frame-Options</code></strong> — superseded by CSP's <code>frame-ancestors</code> but still worth setting for older browsers.</li></ul> <p>Getting all of these right — and keeping them right as your infrastructure evolves — is exactly the kind of problem that monitoring was built to solve.</p> <hr/> <h2>Deploying CSP: Framework and Server Notes</h2> <p>A few quick implementation pointers:</p> <ul><li><strong>Nginx:</strong> Set headers in your <code>server</code> or <code>location</code> block: <code>add_header Content-Security-Policy "..." always;</code>. The <code>always</code> flag ensures the header is sent on error responses too.</li></ul> <ul><li><strong>Apache:</strong> Use <code>Header always set Content-Security-Policy "..."</code> in <code>.htaccess</code> or your VirtualHost config.</li></ul> <ul><li><strong>Next.js / Vercel:</strong> Use <code>next.config.js</code> headers or middleware to set the header server-side with a fresh nonce on each request.</li></ul> <ul><li><strong>WordPress:</strong> Plugins can inject the header, but server-level control is more reliable — plugin headers can be stripped by caching layers.</li></ul> <ul><li><strong>CDNs (Cloudflare, Fastly):</strong> Worker or Transform Rules let you inject or modify headers at the edge, which is useful when you don't control the origin server directly.</li></ul> <hr/> <h2>Conclusion</h2> <p>CSP is one of the few browser security mechanisms that gives you genuine leverage against the most common class of web vulnerability. It's not a magic fix — bugs in your code still need fixing — but a well-deployed policy dramatically limits what an attacker can do when they find one.</p> <p>The practical path is straightforward: start in report-only mode, collect violation data, refine the policy, and then enforce it. After that, treat CSP health as an operational metric you monitor continuously, not a checkbox you tick once.</p> <p><a href="/signup" target="_blank" rel="noopener noreferrer">Sign up for Uptrue</a> to get scheduled security header checks, instant alerts on policy changes, and a single dashboard across uptime, SSL, DNS, and security — so you always know your site is serving exactly what you intended.</p></div><div class="blog-share-subscribe"><div class="blog-share-row"><span class="blog-share-label">Share</span><a href="https://twitter.com/intent/tweet?text=CSP%20Explained%3A%20A%20Practical%20Guide%20to%20Content%20Security%20Policy&url=https%3A%2F%2Fuptrue.io%2Fblog%2Fcsp-explained-guide" target="_blank" rel="noopener noreferrer" class="blog-share-btn" aria-label="Share on X / Twitter"><svg width="16" height="16" viewBox="0 0 24 24" fill="currentColor"><path d="M18.244 2.25h3.308l-7.227 8.26 8.502 11.24H16.17l-4.714-6.231-5.401 6.231H2.744l7.73-8.835L1.254 2.25H8.08l4.713 6.231zm-1.161 17.52h1.833L7.084 4.126H5.117z"></path></svg>X / Twitter</a><a href="https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fuptrue.io%2Fblog%2Fcsp-explained-guide" target="_blank" rel="noopener noreferrer" class="blog-share-btn" aria-label="Share on LinkedIn"><svg width="16" height="16" viewBox="0 0 24 24" fill="currentColor"><path d="M20.447 20.452h-3.554v-5.569c0-1.328-.027-3.037-1.852-3.037-1.853 0-2.136 1.445-2.136 2.939v5.667H9.351V9h3.414v1.561h.046c.477-.9 1.637-1.85 3.37-1.85 3.601 0 4.267 2.37 4.267 5.455v6.286zM5.337 7.433a2.062 2.062 0 0 1-2.063-2.065 2.064 2.064 0 1 1 2.063 2.065zm1.782 13.019H3.555V9h3.564v11.452zM22.225 0H1.771C.792 0 0 .774 0 1.729v20.542C0 23.227.792 24 1.771 24h20.451C23.2 24 24 23.227 24 22.271V1.729C24 .774 23.2 0 22.222 0h.003z"></path></svg>LinkedIn</a><button class="blog-share-btn" aria-label="Copy link"><svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg>Copy link</button></div><div class="blog-subscribe-box"><div class="blog-subscribe-text"><div class="blog-subscribe-title">Get weekly reliability reports</div><div class="blog-subscribe-sub">Uptime rankings, incident summaries, and response time trends — every Monday.</div></div><form class="blog-subscribe-form"><input type="email" class="blog-subscribe-input" placeholder="your@email.com" required="" value=""/><button type="submit" class="blog-subscribe-btn">Subscribe</button></form></div></div><footer class="blog-article-footer"><div class="blog-author"><div class="blog-author-info"><span class="blog-author-name">Uptrue Team</span><span class="blog-author-role">Website Monitoring Platform</span></div></div></footer></article></div></div></div></main><footer class="pub-footer"><div class="container"><div class="footer-top"><div class="footer-brand"><a class="nav-logo" aria-label="Uptrue home" style="margin-bottom:var(--space-4);display:inline-flex" href="/"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 50" height="28" aria-hidden="true"><defs><linearGradient id="ftG" x1="0%" y1="0%" x2="100%" y2="100%"><stop offset="0%" stop-color="#3b82f6"></stop><stop offset="100%" stop-color="#06b6d4"></stop></linearGradient></defs><path d="M20 6 L36 12 L36 24 C36 32 28 38 20 42 C12 38 4 32 4 24 L4 12 Z" fill="url(#ftG)"></path><text x="10" y="30" font-family="system-ui,-apple-system,sans-serif" font-size="16" font-weight="800" fill="white" letter-spacing="0.5"><tspan dy="0">U</tspan><tspan dy="-5">p</tspan></text><text x="46" y="34" font-family="system-ui,-apple-system,sans-serif" font-size="28" font-weight="700" fill="#ffffff" letter-spacing="-0.5">Uptrue</text></svg></a><p class="footer-desc">Uptime, performance & infrastructure monitoring for agencies and teams.</p><div class="footer-trust"><div class="footer-trust-item">🔒 Secure Payments via Stripe</div><div class="footer-trust-item">🛡️ GDPR Compliant · EU Data (Frankfurt)</div><div class="footer-trust-item">⚡ 99.9% SLA</div></div></div><div><div class="footer-col-title">Product</div><ul class="footer-links"><li><a href="/#features">Features</a></li><li><a href="/#pricing">Pricing</a></li><li><a href="/score">Score<span style="color:var(--color-up);font-size:10px"> Free</span></a></li><li><a href="/tracker">Tracker<span style="color:var(--color-up);font-size:10px"> Free</span></a></li><li><a href="/tools/ai-seo-checker">AI SEO Checker<span style="color:var(--color-up);font-size:10px"> Free</span></a></li><li><a href="/tools">All Free Tools</a></li><li><a href="/leaderboard">Leaderboard</a></li><li><a href="/blog">Blog</a></li><li><a href="/changelog">Changelog</a></li></ul></div><div><div class="footer-col-title">Legal</div><ul class="footer-links"><li><a href="/terms">Terms of Service</a></li><li><a href="/privacy">Privacy Policy</a></li><li><a href="/cookies">Cookie Policy</a></li><li><a href="/dpa">DPA</a></li><li><a href="/acceptable-use">Acceptable Use</a></li><li><a href="/refund-policy">Refund Policy</a></li><li><a href="/sla">SLA</a></li><li><a href="/ai-disclaimer">AI Disclaimer</a></li></ul></div><div><div class="footer-col-title">Company</div><ul class="footer-links"><li><a href="/about">About</a></li><li><a href="/contact">Contact</a></li><li><a href="/referrals">Referral Program</a></li><li><a href="/credits">Community Credits</a></li><li><a href="https://x.com/uptrue_io" target="_blank" rel="noopener noreferrer">X @uptrue_io</a></li><li><a href="https://www.linkedin.com/company/uptrue-io/" target="_blank" rel="noopener noreferrer">LinkedIn</a></li></ul></div><div><div class="footer-col-title">Support</div><ul class="footer-links"><li><a href="/help">Help Centre</a></li><li><a href="/docs">API Docs</a></li><li><a href="/status">Status</a></li><li><a href="/security">Security</a></li><li><a href="/subprocessors">Sub-processors</a></li></ul></div></div><div class="footer-bottom"><div>© 2026 <a href="https://find-and-update.company-information.service.gov.uk/company/02710980" target="_blank" rel="noopener noreferrer" style="color:inherit">Vision Software Solutions Limited</a> · Brentford, UK · Company No. 02710980</div><div style="display:flex;align-items:center;gap:var(--space-5)"><a href="/terms">Terms</a><a href="/privacy">Privacy</a><a href="/cookies">Cookies</a></div></div></div></footer><script src="/_next/static/chunks/0ae9w-nr5ni~n.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[25691,[\"/_next/static/chunks/15p1b~ciy.iiw.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\"],\"GoogleTagManager\"]\n3:I[242288,[\"/_next/static/chunks/15p1b~ciy.iiw.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\"],\"MicrosoftClarity\"]\n4:I[339756,[\"/_next/static/chunks/0x.73w57rn4ou.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"/_next/static/chunks/0i.l9589uvx0j.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\"],\"default\"]\n5:I[837457,[\"/_next/static/chunks/0x.73w57rn4ou.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"/_next/static/chunks/0i.l9589uvx0j.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\"],\"default\"]\n6:I[999765,[\"/_next/static/chunks/15p1b~ciy.iiw.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\"],\"BackToTop\"]\n7:I[936719,[\"/_next/static/chunks/15p1b~ciy.iiw.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\"],\"CookieConsent\"]\nd:I[168027,[\"/_next/static/chunks/15p1b~ciy.iiw.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\"],\"default\",1]\n11:I[897367,[\"/_next/static/chunks/0x.73w57rn4ou.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"/_next/static/chunks/0i.l9589uvx0j.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\"],\"OutletBoundary\"]\n12:\"$Sreact.suspense\"\n15:I[897367,[\"/_next/static/chunks/0x.73w57rn4ou.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"/_next/static/chunks/0i.l9589uvx0j.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\"],\"ViewportBoundary\"]\n17:I[897367,[\"/_next/static/chunks/0x.73w57rn4ou.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"/_next/static/chunks/0i.l9589uvx0j.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\"],\"MetadataBoundary\"]\n:HL[\"/_next/static/chunks/0v5n5bwvois7-.css?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"style\"]\n:HL[\"/_next/static/chunks/0tuntgp.kfy5o.css?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"style\"]\n:HL[\"/_next/static/media/70bc3e132a0a741e-s.p.1409xf.ylxg8g.woff2?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n:HL[\"/_next/static/media/83afe278b6a6bb3c-s.p.0q-301v4kxxnr.woff2?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"c\":[\"\",\"blog\",\"csp-explained-guide\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"(public)\",{\"children\":[\"blog\",{\"children\":[[\"slug\",\"csp-explained-guide\",\"d\",null],{\"children\":[\"__PAGE__\",{}]}]}]}]},\"$undefined\",\"$undefined\",16],[[\"$\",\"$1\",\"c\",{\"children\":[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/0v5n5bwvois7-.css?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/0tuntgp.kfy5o.css?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/15p1b~ciy.iiw.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"html\",null,{\"lang\":\"en\",\"className\":\"inter_7b064e0d-module__MOT0tq__variable jetbrains_mono_9a2f2d6c-module__wsyXyG__variable\",\"suppressHydrationWarning\":true,\"children\":[\"$\",\"body\",null,{\"children\":[[\"$\",\"script\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"\\n (function() {\\n var saved = localStorage.getItem('uptrue_theme');\\n if (saved !== 'light') {\\n document.documentElement.classList.add('dark');\\n }\\n })();\\n \"}}],[\"$\",\"$L2\",null,{}],[\"$\",\"$L3\",null,{}],[\"$\",\"$L4\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L5\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":[[[\"$\",\"title\",null,{\"children\":\"404: This page could not be found.\"}],[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"padding\":\"0 23px 0 0\",\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\",\"lineHeight\":\"49px\"},\"children\":404}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"49px\",\"margin\":0},\"children\":\"This page could not be found.\"}]}]]}]}]],[]],\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}],[\"$\",\"$L6\",null,{}],[\"$\",\"$L7\",null,{}]]}]}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/05pi3py3cfs38.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/0-iznpjei-m1s.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"async\":true,\"nonce\":\"$undefined\"}]],[[\"$\",\"a\",null,{\"href\":\"#main-content\",\"className\":\"skip-link\",\"children\":\"Skip to main content\"}],\"$L8\",[\"$\",\"main\",null,{\"id\":\"main-content\",\"children\":[\"$\",\"$L4\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L5\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":[[[\"$\",\"title\",null,{\"children\":\"404: This page could not be found.\"}],[\"$\",\"div\",null,{\"style\":\"$0:f:0:1:0:props:children:1:props:children:props:children:3:props:notFound:0:1:props:style\",\"children\":[\"$\",\"div\",null,{\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":\"$0:f:0:1:0:props:children:1:props:children:props:children:3:props:notFound:0:1:props:children:props:children:1:props:style\",\"children\":404}],[\"$\",\"div\",null,{\"style\":\"$0:f:0:1:0:props:children:1:props:children:props:children:3:props:notFound:0:1:props:children:props:children:2:props:style\",\"children\":[\"$\",\"h2\",null,{\"style\":\"$0:f:0:1:0:props:children:1:props:children:props:children:3:props:notFound:0:1:props:children:props:children:2:props:children:props:style\",\"children\":\"This page could not be found.\"}]}]]}]}]],[]],\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]}],\"$L9\"]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"div\",null,{\"className\":\"blog-layout\",\"children\":[\"$\",\"div\",null,{\"className\":\"blog-main\",\"style\":{\"paddingTop\":0,\"paddingLeft\":0,\"paddingRight\":0},\"children\":[\"$\",\"$L4\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L5\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]}]}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L4\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L5\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[\"$La\",{},null,false,null]},null,false,\"$@b\"]},null,false,null]},null,false,null]},null,false,null],\"$Lc\",false]],\"m\":\"$undefined\",\"G\":[\"$d\",[\"$Le\",\"$Lf\"]],\"S\":false,\"h\":null,\"s\":\"$undefined\",\"l\":\"$undefined\",\"p\":\"$undefined\",\"d\":\"$undefined\"}\n"])</script><script>self.__next_f.push([1,"a:[\"$\",\"$1\",\"c\",{\"children\":[\"$L10\",[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/0c0825n.37_1~.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L11\",null,{\"children\":[\"$\",\"$12\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@13\"}]}]]}]\n14:[]\nb:\"$W14\"\nc:[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L15\",null,{\"children\":\"$L16\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L17\",null,{\"children\":[\"$\",\"$12\",null,{\"name\":\"Next.Metadata\",\"children\":\"$L18\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}]\ne:[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/0v5n5bwvois7-.css?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}]\nf:[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/0tuntgp.kfy5o.css?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}]\n16:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"2\",{\"name\":\"theme-color\",\"content\":\"#ffffff\",\"media\":\"(prefers-color-scheme: light)\"}],[\"$\",\"meta\",\"3\",{\"name\":\"theme-color\",\"content\":\"#0f172a\",\"media\":\"(prefers-color-scheme: dark)\"}]]\n"])</script><script>self.__next_f.push([1,"19:I[358263,[\"/_next/static/chunks/15p1b~ciy.iiw.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"/_next/static/chunks/05pi3py3cfs38.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"/_next/static/chunks/0-iznpjei-m1s.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\"],\"PublicNavClient\"]\n8:[\"$\",\"$L19\",null,{\"links\":[{\"href\":\"/monitoring\",\"label\":\"Monitoring\"},{\"href\":\"/wordpress-monitor\",\"badge\":\"Plugin\",\"label\":\"WordPress\"},{\"href\":\"/tools\",\"badge\":\"Free\",\"label\":\"Tools\"},{\"href\":\"/tracker\",\"badge\":\"Free\",\"label\":\"Tracker\"},{\"href\":\"/#pricing\",\"label\":\"Pricing\"},{\"href\":\"/blog\",\"label\":\"Blog\"}],\"ctaPrimary\":{\"href\":\"/signup\",\"text\":\"Start Free\"},\"ctaSecondary\":{\"href\":\"/login\",\"text\":\"Log in\"}}]\n"])</script><script>self.__next_f.push([1,"1a:I[522016,[\"/_next/static/chunks/15p1b~ciy.iiw.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"/_next/static/chunks/05pi3py3cfs38.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"/_next/static/chunks/0-iznpjei-m1s.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"/_next/static/chunks/0c0825n.37_1~.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\"],\"\"]\n"])</script><script>self.__next_f.push([1,"9:[\"$\",\"footer\",null,{\"className\":\"pub-footer\",\"children\":[\"$\",\"div\",null,{\"className\":\"container\",\"children\":[[\"$\",\"div\",null,{\"className\":\"footer-top\",\"children\":[[\"$\",\"div\",null,{\"className\":\"footer-brand\",\"children\":[[\"$\",\"$L1a\",null,{\"href\":\"/\",\"className\":\"nav-logo\",\"aria-label\":\"Uptrue home\",\"style\":{\"marginBottom\":\"var(--space-4)\",\"display\":\"inline-flex\"},\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"viewBox\":\"0 0 200 50\",\"height\":\"28\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"defs\",null,{\"children\":[\"$\",\"linearGradient\",null,{\"id\":\"ftG\",\"x1\":\"0%\",\"y1\":\"0%\",\"x2\":\"100%\",\"y2\":\"100%\",\"children\":[[\"$\",\"stop\",null,{\"offset\":\"0%\",\"stopColor\":\"#3b82f6\"}],[\"$\",\"stop\",null,{\"offset\":\"100%\",\"stopColor\":\"#06b6d4\"}]]}]}],[\"$\",\"path\",null,{\"d\":\"M20 6 L36 12 L36 24 C36 32 28 38 20 42 C12 38 4 32 4 24 L4 12 Z\",\"fill\":\"url(#ftG)\"}],[\"$\",\"text\",null,{\"x\":\"10\",\"y\":\"30\",\"fontFamily\":\"system-ui,-apple-system,sans-serif\",\"fontSize\":\"16\",\"fontWeight\":\"800\",\"fill\":\"white\",\"letterSpacing\":\"0.5\",\"children\":[[\"$\",\"tspan\",null,{\"dy\":\"0\",\"children\":\"U\"}],[\"$\",\"tspan\",null,{\"dy\":\"-5\",\"children\":\"p\"}]]}],[\"$\",\"text\",null,{\"x\":\"46\",\"y\":\"34\",\"fontFamily\":\"system-ui,-apple-system,sans-serif\",\"fontSize\":\"28\",\"fontWeight\":\"700\",\"fill\":\"#ffffff\",\"letterSpacing\":\"-0.5\",\"children\":\"Uptrue\"}]]}]}],[\"$\",\"p\",null,{\"className\":\"footer-desc\",\"children\":\"Uptime, performance \u0026 infrastructure monitoring for agencies and teams.\"}],[\"$\",\"div\",null,{\"className\":\"footer-trust\",\"children\":[[\"$\",\"div\",\"🔒 Secure Payments via Stripe\",{\"className\":\"footer-trust-item\",\"children\":\"🔒 Secure Payments via Stripe\"}],[\"$\",\"div\",\"🛡️ GDPR Compliant · EU Data (Frankfurt)\",{\"className\":\"footer-trust-item\",\"children\":\"🛡️ GDPR Compliant · EU Data (Frankfurt)\"}],[\"$\",\"div\",\"⚡ 99.9% SLA\",{\"className\":\"footer-trust-item\",\"children\":\"⚡ 99.9% SLA\"}]]}]]}],[[\"$\",\"div\",\"Product\",{\"children\":[[\"$\",\"div\",null,{\"className\":\"footer-col-title\",\"children\":\"Product\"}],[\"$\",\"ul\",null,{\"className\":\"footer-links\",\"children\":[[\"$\",\"li\",\"/#features\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/#features\",\"children\":[\"Features\",\"$undefined\"]}]}],[\"$\",\"li\",\"/#pricing\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/#pricing\",\"children\":[\"Pricing\",\"$undefined\"]}]}],[\"$\",\"li\",\"/score\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/score\",\"children\":[\"Score\",[\"$\",\"span\",null,{\"style\":{\"color\":\"var(--color-up)\",\"fontSize\":10},\"children\":[\" \",\"Free\"]}]]}]}],[\"$\",\"li\",\"/tracker\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/tracker\",\"children\":[\"Tracker\",[\"$\",\"span\",null,{\"style\":{\"color\":\"var(--color-up)\",\"fontSize\":10},\"children\":[\" \",\"Free\"]}]]}]}],[\"$\",\"li\",\"/tools/ai-seo-checker\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/tools/ai-seo-checker\",\"children\":[\"AI SEO Checker\",[\"$\",\"span\",null,{\"style\":{\"color\":\"var(--color-up)\",\"fontSize\":10},\"children\":[\" \",\"Free\"]}]]}]}],[\"$\",\"li\",\"/tools\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/tools\",\"children\":[\"All Free Tools\",\"$undefined\"]}]}],[\"$\",\"li\",\"/leaderboard\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/leaderboard\",\"children\":[\"Leaderboard\",\"$undefined\"]}]}],[\"$\",\"li\",\"/blog\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/blog\",\"children\":[\"Blog\",\"$undefined\"]}]}],[\"$\",\"li\",\"/changelog\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/changelog\",\"children\":[\"Changelog\",\"$undefined\"]}]}]]}]]}],[\"$\",\"div\",\"Legal\",{\"children\":[[\"$\",\"div\",null,{\"className\":\"footer-col-title\",\"children\":\"Legal\"}],[\"$\",\"ul\",null,{\"className\":\"footer-links\",\"children\":[[\"$\",\"li\",\"/terms\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/terms\",\"children\":[\"Terms of Service\",\"$undefined\"]}]}],[\"$\",\"li\",\"/privacy\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/privacy\",\"children\":[\"Privacy Policy\",\"$undefined\"]}]}],[\"$\",\"li\",\"/cookies\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/cookies\",\"children\":[\"Cookie Policy\",\"$undefined\"]}]}],[\"$\",\"li\",\"/dpa\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/dpa\",\"children\":[\"DPA\",\"$undefined\"]}]}],[\"$\",\"li\",\"/acceptable-use\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/acceptable-use\",\"children\":[\"Acceptable Use\",\"$undefined\"]}]}],[\"$\",\"li\",\"/refund-policy\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/refund-policy\",\"children\":[\"Refund Policy\",\"$undefined\"]}]}],[\"$\",\"li\",\"/sla\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/sla\",\"children\":[\"SLA\",\"$undefined\"]}]}],[\"$\",\"li\",\"/ai-disclaimer\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/ai-disclaimer\",\"children\":[\"AI Disclaimer\",\"$undefined\"]}]}]]}]]}],[\"$\",\"div\",\"Company\",{\"children\":[[\"$\",\"div\",null,{\"className\":\"footer-col-title\",\"children\":\"Company\"}],[\"$\",\"ul\",null,{\"className\":\"footer-links\",\"children\":[[\"$\",\"li\",\"/about\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/about\",\"children\":[\"About\",\"$undefined\"]}]}],[\"$\",\"li\",\"/contact\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/contact\",\"children\":[\"Contact\",\"$undefined\"]}]}],[\"$\",\"li\",\"/referrals\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/referrals\",\"children\":[\"Referral Program\",\"$undefined\"]}]}],[\"$\",\"li\",\"/credits\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/credits\",\"children\":[\"Community Credits\",\"$undefined\"]}]}],[\"$\",\"li\",\"https://x.com/uptrue_io\",{\"children\":[\"$\",\"a\",null,{\"href\":\"https://x.com/uptrue_io\",\"target\":\"_blank\",\"rel\":\"noopener noreferrer\",\"children\":[\"X @uptrue_io\",\"$undefined\"]}]}],[\"$\",\"li\",\"https://www.linkedin.com/company/uptrue-io/\",{\"children\":\"$L1b\"}]]}]]}],\"$L1c\"]]}],\"$L1d\"]}]}]\n"])</script><script>self.__next_f.push([1,"1b:[\"$\",\"a\",null,{\"href\":\"https://www.linkedin.com/company/uptrue-io/\",\"target\":\"_blank\",\"rel\":\"noopener noreferrer\",\"children\":[\"LinkedIn\",\"$undefined\"]}]\n1c:[\"$\",\"div\",\"Support\",{\"children\":[[\"$\",\"div\",null,{\"className\":\"footer-col-title\",\"children\":\"Support\"}],[\"$\",\"ul\",null,{\"className\":\"footer-links\",\"children\":[[\"$\",\"li\",\"/help\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/help\",\"children\":[\"Help Centre\",\"$undefined\"]}]}],[\"$\",\"li\",\"/docs\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/docs\",\"children\":[\"API Docs\",\"$undefined\"]}]}],[\"$\",\"li\",\"/status\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/status\",\"children\":[\"Status\",\"$undefined\"]}]}],[\"$\",\"li\",\"/security\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/security\",\"children\":[\"Security\",\"$undefined\"]}]}],[\"$\",\"li\",\"/subprocessors\",{\"children\":[\"$\",\"$L1a\",null,{\"href\":\"/subprocessors\",\"children\":[\"Sub-processors\",\"$undefined\"]}]}]]}]]}]\n1d:[\"$\",\"div\",null,{\"className\":\"footer-bottom\",\"children\":[[\"$\",\"div\",null,{\"children\":[\"© \",2026,\" \",[\"$\",\"a\",null,{\"href\":\"https://find-and-update.company-information.service.gov.uk/company/02710980\",\"target\":\"_blank\",\"rel\":\"noopener noreferrer\",\"style\":{\"color\":\"inherit\"},\"children\":\"Vision Software Solutions Limited\"}],\" \",\"· Brentford, UK · Company No. 02710980\"]}],[\"$\",\"div\",null,{\"style\":{\"display\":\"flex\",\"alignItems\":\"center\",\"gap\":\"var(--space-5)\"},\"children\":[[\"$\",\"$L1a\",null,{\"href\":\"/terms\",\"children\":\"Terms\"}],[\"$\",\"$L1a\",null,{\"href\":\"/privacy\",\"children\":\"Privacy\"}],[\"$\",\"$L1a\",null,{\"href\":\"/cookies\",\"children\":\"Cookies\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"21:I[27201,[\"/_next/static/chunks/0x.73w57rn4ou.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"/_next/static/chunks/0i.l9589uvx0j.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\"],\"IconMark\"]\n1e:T3512,"])</script><script>self.__next_f.push([1,"\u003ch1\u003eCSP Explained: A Practical Guide to Content Security Policy\u003c/h1\u003e\n\u003cp\u003e\u003cem\u003eBy Krithi\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eIf you've ever opened your browser's developer console and seen a wall of \u003ccode\u003eContent-Security-Policy\u003c/code\u003e violations, or inherited a codebase where someone just set \u003ccode\u003edefault-src *\u003c/code\u003e and called it a day, you already know the problem. Content Security Policy is one of the most powerful browser security mechanisms available — and one of the most routinely misunderstood. This guide cuts through the noise and gives you a clear, working understanding of what CSP does, how to write a sensible policy, and how to keep it healthy over time.\u003c/p\u003e\n\u003chr/\u003e\n\u003ch2\u003eWhat Is Content Security Policy?\u003c/h2\u003e\n\u003cp\u003eContent Security Policy (CSP) is an HTTP response header that tells the browser which sources of content — scripts, stylesheets, images, fonts, frames, and more — are allowed to load on a given page. Any resource that doesn't match the policy is blocked before it can execute or render.\u003c/p\u003e\n\u003cp\u003eThe core idea is straightforward: instead of relying solely on the server to serve clean content, you explicitly whitelist what's permitted. This creates a strong second line of defence against \u003cstrong\u003ecross-site scripting (XSS)\u003c/strong\u003e, \u003cstrong\u003eclickjacking\u003c/strong\u003e, \u003cstrong\u003emixed-content injection\u003c/strong\u003e, and \u003cstrong\u003edata exfiltration\u003c/strong\u003e attacks.\u003c/p\u003e\n\u003cp\u003eCSP is delivered as a response header:\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003e`\u003c/code\u003e Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; object-src 'none' \u003ccode\u003e`\u003c/code\u003e\u003c/p\u003e\n\u003cp\u003eOr, during development and rollout, as a report-only header that logs violations without blocking anything:\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003e`\u003c/code\u003e Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-reports \u003ccode\u003e`\u003c/code\u003e\u003c/p\u003e\n\u003cp\u003eThe browser interprets the header, enforces (or observes) the policy, and — if you've set up a reporting endpoint — sends JSON violation reports whenever something is blocked.\u003c/p\u003e\n\u003chr/\u003e\n\u003ch2\u003eWhy CSP Matters for Real-World Security\u003c/h2\u003e\n\u003cp\u003eXSS remains one of the most common web vulnerabilities. An attacker who finds a way to inject arbitrary HTML or JavaScript into your page can steal session cookies, capture form inputs, redirect users, or silently beacon data to an external server.\u003c/p\u003e\n\u003cp\u003eA well-crafted CSP doesn't eliminate XSS bugs in your code, but it severely limits what an attacker can do with them. Even if malicious JavaScript is injected, the browser won't execute it if the script source isn't explicitly permitted. That's a meaningful reduction in blast radius.\u003c/p\u003e\n\u003cp\u003eBeyond XSS, CSP also:\u003c/p\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003eBlocks mixed content\u003c/strong\u003e — prevents HTTP resources from loading on HTTPS pages, protecting transport-layer security.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003ePrevents clickjacking\u003c/strong\u003e — the \u003ccode\u003eframe-ancestors\u003c/code\u003e directive replaces the older \u003ccode\u003eX-Frame-Options\u003c/code\u003e header and gives you more granular control.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003eLimits data exfiltration\u003c/strong\u003e — \u003ccode\u003econnect-src\u003c/code\u003e restricts where JavaScript can send data via \u003ccode\u003efetch\u003c/code\u003e, \u003ccode\u003eXMLHttpRequest\u003c/code\u003e, and WebSockets.\u003c/li\u003e\u003c/ul\u003e\n\u003cp\u003e!\u003ca href=\"image-placeholder.svg\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eDiagram showing how a browser enforces CSP directives to block unauthorised scripts and connections\u003c/a\u003e\u003c/p\u003e\n\u003chr/\u003e\n\u003ch2\u003eCSP Directives You Actually Need to Know\u003c/h2\u003e\n\u003cp\u003eThe CSP specification has dozens of directives, but most policies rely on a manageable subset.\u003c/p\u003e\n\u003ch3\u003eFetch Directives\u003c/h3\u003e\n\u003cp\u003eThese control where resources can be loaded from:\u003c/p\u003e\n\u003cp\u003e| Directive | Controls | |---|---| | \u003ccode\u003edefault-src\u003c/code\u003e | Fallback for all resource types not explicitly listed | | \u003ccode\u003escript-src\u003c/code\u003e | JavaScript, including inline scripts and \u003ccode\u003eeval()\u003c/code\u003e | | \u003ccode\u003estyle-src\u003c/code\u003e | Stylesheets and inline styles | | \u003ccode\u003eimg-src\u003c/code\u003e | Images and favicons | | \u003ccode\u003efont-src\u003c/code\u003e | Web fonts | | \u003ccode\u003econnect-src\u003c/code\u003e | Fetch, XHR, WebSocket, EventSource | | \u003ccode\u003eframe-src\u003c/code\u003e | \u003ccode\u003e\u003ciframe\u003e\u003c/code\u003e sources | | \u003ccode\u003eobject-src\u003c/code\u003e | Plugins (\u003ccode\u003e\u003cobject\u003e\u003c/code\u003e, \u003ccode\u003e\u003cembed\u003e\u003c/code\u003e, \u003ccode\u003e\u003capplet\u003e\u003c/code\u003e) — set to \u003ccode\u003e'none'\u003c/code\u003e unless you have a genuine need | | \u003ccode\u003emedia-src\u003c/code\u003e | Audio and video | | \u003ccode\u003eworker-src\u003c/code\u003e | Web Workers and Service Workers | | \u003ccode\u003emanifest-src\u003c/code\u003e | Web App Manifests |\u003c/p\u003e\n\u003ch3\u003eNavigation Directives\u003c/h3\u003e\n\u003cul\u003e\u003cli\u003e\u003ccode\u003eform-action\u003c/code\u003e — restricts where \u003ccode\u003e\u003cform\u003e\u003c/code\u003e submissions can go. Often overlooked, but important.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003ccode\u003eframe-ancestors\u003c/code\u003e — controls which origins can embed your page in a frame. Replaces \u003ccode\u003eX-Frame-Options\u003c/code\u003e.\u003c/li\u003e\u003c/ul\u003e\n\u003ch3\u003eReporting Directives\u003c/h3\u003e\n\u003cul\u003e\u003cli\u003e\u003ccode\u003ereport-uri\u003c/code\u003e (legacy, still widely supported) — a URL to which the browser POSTs violation reports.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003ccode\u003ereport-to\u003c/code\u003e (newer, part of the Reporting API) — references a named endpoint defined in the \u003ccode\u003eReporting-Endpoints\u003c/code\u003e header.\u003c/li\u003e\u003c/ul\u003e\n\u003chr/\u003e\n\u003ch2\u003eSource Values and Keywords\u003c/h2\u003e\n\u003cp\u003eWithin each directive, you specify one or more source expressions:\u003c/p\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e'self'\u003c/code\u003e\u003c/strong\u003e — same origin only. The single quotes are required.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e'none'\u003c/code\u003e\u003c/strong\u003e — nothing is allowed.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003e\u003ccode\u003ehttps://cdn.example.com\u003c/code\u003e\u003c/strong\u003e — a specific origin.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003e\u003ccode\u003ehttps:\u003c/code\u003e\u003c/strong\u003e — any HTTPS URL (broad; use sparingly).\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e'unsafe-inline'\u003c/code\u003e\u003c/strong\u003e — allows inline \u003ccode\u003e\u003cscript\u003e\u003c/code\u003e and \u003ccode\u003e\u003cstyle\u003e\u003c/code\u003e blocks. Substantially weakens the policy.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e'unsafe-eval'\u003c/code\u003e\u003c/strong\u003e — allows \u003ccode\u003eeval()\u003c/code\u003e, \u003ccode\u003enew Function()\u003c/code\u003e, and similar dynamic code execution.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e'nonce-\u003cbase64\u003e'\u003c/code\u003e\u003c/strong\u003e — allows a specific inline script or style tagged with a matching \u003ccode\u003enonce\u003c/code\u003e attribute. Regenerated per request.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e'sha256-\u003chash\u003e'\u003c/code\u003e\u003c/strong\u003e — allows an inline resource whose content matches a specific SHA hash.\u003c/li\u003e\u003c/ul\u003e\n\u003cp\u003eThe goal of a mature CSP is to avoid \u003ccode\u003e'unsafe-inline'\u003c/code\u003e and \u003ccode\u003e'unsafe-eval'\u003c/code\u003e entirely. If you have legacy inline scripts you can't immediately refactor, nonces or hashes give you a path to safety without a wholesale rewrite.\u003c/p\u003e\n\u003chr/\u003e\n\u003ch2\u003eBuilding Your First Meaningful Policy\u003c/h2\u003e\n\u003cp\u003eDon't try to write a perfect policy from scratch. The practical approach:\u003c/p\u003e\n\u003col\u003e\u003cli\u003e\u003cstrong\u003eStart in report-only mode.\u003c/strong\u003e Deploy \u003ccode\u003eContent-Security-Policy-Report-Only\u003c/code\u003e with a reasonably strict policy and a \u003ccode\u003ereport-uri\u003c/code\u003e endpoint. Collect real violation data from your actual traffic.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAnalyse violations.\u003c/strong\u003e Group them by directive and source. Distinguish legitimate third-party resources (analytics, fonts, CDN assets) from genuine policy gaps.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eRefine and promote.\u003c/strong\u003e Once violations settle to background noise, move the policy to the enforcing \u003ccode\u003eContent-Security-Policy\u003c/code\u003e header.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eIterate.\u003c/strong\u003e Every time you add a new third-party integration, widget, or CDN, revisit the policy.\u003c/li\u003e\u003c/ol\u003e\n\u003cp\u003eA reasonable starting point for a modern web application:\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003e`\u003c/code\u003e Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{RANDOM}' https://www.googletagmanager.com; style-src 'self' 'nonce-{RANDOM}' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://api.example.com; frame-ancestors 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests; report-uri /csp-violations \u003ccode\u003e`\u003c/code\u003e\u003c/p\u003e\n\u003cp\u003eNote \u003ccode\u003ebase-uri 'self'\u003c/code\u003e — this blocks \u003ccode\u003e\u003cbase\u003e\u003c/code\u003e tag injection, which can otherwise redirect all relative URLs. It's cheap insurance.\u003c/p\u003e\n\u003chr/\u003e\n\u003ch2\u003eCommon CSP Mistakes to Avoid\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eWildcard sources.\u003c/strong\u003e \u003ccode\u003escript-src \u003cem\u003e\u003c/code\u003e or \u003ccode\u003edefault-src \u003c/em\u003e\u003c/code\u003e defeats the purpose entirely. You might as well not have a policy.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eForgetting \u003ccode\u003eobject-src\u003c/code\u003e.\u003c/strong\u003e If \u003ccode\u003edefault-src\u003c/code\u003e is set but \u003ccode\u003eobject-src\u003c/code\u003e isn't explicitly listed, Flash and plugin-based exploits remain possible. Always set \u003ccode\u003eobject-src 'none'\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTrusting entire CDN domains.\u003c/strong\u003e \u003ccode\u003escript-src https://cdn.jsdelivr.net\u003c/code\u003e allows \u003cem\u003eany\u003c/em\u003e file on that CDN — including attacker-controlled packages. Where possible, use Subresource Integrity (SRI) hashes alongside your CSP.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDeploying without a reporting endpoint.\u003c/strong\u003e Without violation reports, you're flying blind. You won't know when a new deployment or third-party update breaks your policy.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eNever revisiting the policy.\u003c/strong\u003e CSP decays over time. Third-party scripts change their domains, new features get added, and whitelisted sources no longer serve anything. A stale policy is either too permissive or quietly breaking things for users.\u003c/p\u003e\n\u003chr/\u003e\n\u003ch2\u003eMonitoring Your CSP Health Continuously\u003c/h2\u003e\n\u003cp\u003eWriting a CSP is a one-time effort. Keeping it correct is an ongoing operational concern — and that's where automated monitoring pays for itself.\u003c/p\u003e\n\u003cp\u003eUptrue's \u003ca href=\"/monitoring/security-headers\" target=\"_blank\" rel=\"noopener noreferrer\"\u003esecurity headers monitoring\u003c/a\u003e checks your CSP (and other critical headers like \u003ccode\u003eStrict-Transport-Security\u003c/code\u003e, \u003ccode\u003eX-Frame-Options\u003c/code\u003e, and \u003ccode\u003ePermissions-Policy\u003c/code\u003e) on a scheduled basis and alerts you the moment a header disappears or changes unexpectedly. If a deployment accidentally strips your \u003ccode\u003eContent-Security-Policy\u003c/code\u003e header, you'll know within minutes rather than discovering it in a post-incident review.\u003c/p\u003e\n\u003cp\u003eYou can also cross-reference your CSP posture alongside your \u003ca href=\"/monitoring/ssl-certificates\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eSSL certificate monitoring\u003c/a\u003e to get a complete picture of your site's transport and content security at a glance.\u003c/p\u003e\n\u003chr/\u003e\n\u003ch2\u003e🔎 Check Your Headers Right Now\u003c/h2\u003e\n\u003cp\u003eCurious how your site's CSP looks to the outside world? Run a free scan using \u003ca href=\"/tools/security-headers-checker\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eUptrue's Security Headers Checker\u003c/a\u003e — no account required. You'll see exactly which headers are present, which are missing, and where your policy can be tightened.\u003c/p\u003e\n\u003chr/\u003e\n\u003ch2\u003eCSP and the Broader Security Headers Picture\u003c/h2\u003e\n\u003cp\u003eCSP is the most complex of the common security headers, but it doesn't operate in isolation. A complete security headers posture includes:\u003c/p\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003e\u003ccode\u003eStrict-Transport-Security\u003c/code\u003e (HSTS)\u003c/strong\u003e — forces HTTPS connections, even if a user types \u003ccode\u003ehttp://\u003c/code\u003e.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003e\u003ccode\u003eX-Content-Type-Options: nosniff\u003c/code\u003e\u003c/strong\u003e — prevents MIME-type sniffing attacks.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003e\u003ccode\u003eReferrer-Policy\u003c/code\u003e\u003c/strong\u003e — controls how much referrer information is sent with outbound requests.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003e\u003ccode\u003ePermissions-Policy\u003c/code\u003e\u003c/strong\u003e — restricts which browser APIs (camera, microphone, geolocation) scripts can access.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003e\u003ccode\u003eX-Frame-Options\u003c/code\u003e\u003c/strong\u003e — superseded by CSP's \u003ccode\u003eframe-ancestors\u003c/code\u003e but still worth setting for older browsers.\u003c/li\u003e\u003c/ul\u003e\n\u003cp\u003eGetting all of these right — and keeping them right as your infrastructure evolves — is exactly the kind of problem that monitoring was built to solve.\u003c/p\u003e\n\u003chr/\u003e\n\u003ch2\u003eDeploying CSP: Framework and Server Notes\u003c/h2\u003e\n\u003cp\u003eA few quick implementation pointers:\u003c/p\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003eNginx:\u003c/strong\u003e Set headers in your \u003ccode\u003eserver\u003c/code\u003e or \u003ccode\u003elocation\u003c/code\u003e block: \u003ccode\u003eadd_header Content-Security-Policy \"...\" always;\u003c/code\u003e. The \u003ccode\u003ealways\u003c/code\u003e flag ensures the header is sent on error responses too.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003eApache:\u003c/strong\u003e Use \u003ccode\u003eHeader always set Content-Security-Policy \"...\"\u003c/code\u003e in \u003ccode\u003e.htaccess\u003c/code\u003e or your VirtualHost config.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003eNext.js / Vercel:\u003c/strong\u003e Use \u003ccode\u003enext.config.js\u003c/code\u003e headers or middleware to set the header server-side with a fresh nonce on each request.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003eWordPress:\u003c/strong\u003e Plugins can inject the header, but server-level control is more reliable — plugin headers can be stripped by caching layers.\u003c/li\u003e\u003c/ul\u003e\n\u003cul\u003e\u003cli\u003e\u003cstrong\u003eCDNs (Cloudflare, Fastly):\u003c/strong\u003e Worker or Transform Rules let you inject or modify headers at the edge, which is useful when you don't control the origin server directly.\u003c/li\u003e\u003c/ul\u003e\n\u003chr/\u003e\n\u003ch2\u003eConclusion\u003c/h2\u003e\n\u003cp\u003eCSP is one of the few browser security mechanisms that gives you genuine leverage against the most common class of web vulnerability. It's not a magic fix — bugs in your code still need fixing — but a well-deployed policy dramatically limits what an attacker can do when they find one.\u003c/p\u003e\n\u003cp\u003eThe practical path is straightforward: start in report-only mode, collect violation data, refine the policy, and then enforce it. After that, treat CSP health as an operational metric you monitor continuously, not a checkbox you tick once.\u003c/p\u003e\n\u003cp\u003e\u003ca href=\"/signup\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eSign up for Uptrue\u003c/a\u003e to get scheduled security header checks, instant alerts on policy changes, and a single dashboard across uptime, SSL, DNS, and security — so you always know your site is serving exactly what you intended.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"10:[\"$\",\"div\",null,{\"className\":\"blog-article-wrap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"blog-article-hero\",\"children\":[\"$\",\"div\",null,{\"className\":\"$undefined\",\"style\":{\"width\":\"100%\",\"height\":\"100%\",\"overflow\":\"hidden\",\"display\":\"block\"},\"aria-hidden\":\"true\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"viewBox\":\"0 0 280 148\",\"width\":\"100%\",\"height\":\"100%\",\"preserveAspectRatio\":\"xMidYMid slice\",\"style\":{\"display\":\"block\"},\"children\":[[\"$\",\"defs\",null,{\"children\":[[\"$\",\"linearGradient\",null,{\"id\":\"bcg-default\",\"x1\":\"0%\",\"y1\":\"0%\",\"x2\":\"100%\",\"y2\":\"100%\",\"children\":[[\"$\",\"stop\",null,{\"offset\":\"0%\",\"stopColor\":\"#1d4ed8\"}],[\"$\",\"stop\",null,{\"offset\":\"100%\",\"stopColor\":\"#0e7490\"}]]}],[\"$\",\"radialGradient\",null,{\"id\":\"bcg-default-vgn\",\"cx\":\"50%\",\"cy\":\"50%\",\"r\":\"70%\",\"children\":[[\"$\",\"stop\",null,{\"offset\":\"0%\",\"stopColor\":\"rgba(0,0,0,0)\"}],[\"$\",\"stop\",null,{\"offset\":\"100%\",\"stopColor\":\"rgba(0,0,0,0.28)\"}]]}]]}],[\"$\",\"rect\",null,{\"x\":\"0\",\"y\":\"0\",\"width\":280,\"height\":148,\"fill\":\"url(#bcg-default)\"}],[\"$\",\"rect\",null,{\"x\":\"0\",\"y\":\"0\",\"width\":280,\"height\":148,\"fill\":\"url(#bcg-default-vgn)\"}],[\"$\",\"polygon\",null,{\"points\":\"140,36 178,74 140,112 102,74\",\"fill\":\"none\",\"stroke\":\"rgba(255,255,255,0.1)\",\"strokeWidth\":\"1\",\"strokeDasharray\":\"4 5\"}],[[\"$\",\"g\",\"0\",{\"transform\":\"translate(140, 36)\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"0\",\"cy\":\"0\",\"r\":\"9\",\"fill\":\"rgba(255,255,255,0.1)\",\"stroke\":\"none\"}],[[\"$\",\"circle\",null,{\"stroke\":\"rgba(255,255,255,0.82)\",\"strokeWidth\":1.5,\"fill\":\"none\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"cx\":\"0\",\"cy\":\"0\",\"r\":\"5\"}],[\"$\",\"line\",null,{\"stroke\":\"rgba(255,255,255,0.82)\",\"strokeWidth\":1.5,\"fill\":\"none\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"x1\":\"-5\",\"y1\":\"0\",\"x2\":\"5\",\"y2\":\"0\"}],[\"$\",\"path\",null,{\"stroke\":\"rgba(255,255,255,0.82)\",\"strokeWidth\":1.5,\"fill\":\"none\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"d\":\"M0,-5 C-2.5,-2 -2.5,2 0,5 C2.5,2 2.5,-2 0,-5\"}]]]}],[\"$\",\"g\",\"1\",{\"transform\":\"translate(178, 74)\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"0\",\"cy\":\"0\",\"r\":\"9\",\"fill\":\"rgba(255,255,255,0.1)\",\"stroke\":\"none\"}],[[\"$\",\"path\",null,{\"stroke\":\"rgba(255,255,255,0.82)\",\"strokeWidth\":1.5,\"fill\":\"none\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"d\":\"M-5,-2 A7,7 0 0,1 5,-2\"}],[\"$\",\"path\",null,{\"stroke\":\"rgba(255,255,255,0.82)\",\"strokeWidth\":1.5,\"fill\":\"none\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"d\":\"M-3,1.5 A4,4 0 0,1 3,1.5\"}],[\"$\",\"circle\",null,{\"cx\":\"0\",\"cy\":\"5\",\"r\":\"1\",\"fill\":\"rgba(255,255,255,0.7)\",\"stroke\":\"none\"}]]]}],[\"$\",\"g\",\"2\",{\"transform\":\"translate(140, 112)\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"0\",\"cy\":\"0\",\"r\":\"9\",\"fill\":\"rgba(255,255,255,0.1)\",\"stroke\":\"none\"}],[\"$\",\"path\",null,{\"stroke\":\"rgba(255,255,255,0.82)\",\"strokeWidth\":1.5,\"fill\":\"none\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"d\":\"M-6,0 L-3,0 L-1,-4 L1,4 L3,0 L6,0\"}]]}],[\"$\",\"g\",\"3\",{\"transform\":\"translate(102, 74)\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"0\",\"cy\":\"0\",\"r\":\"9\",\"fill\":\"rgba(255,255,255,0.1)\",\"stroke\":\"none\"}],[[\"$\",\"polyline\",null,{\"stroke\":\"rgba(255,255,255,0.82)\",\"strokeWidth\":1.5,\"fill\":\"none\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"points\":\"-5,3.5 -2,-2 1,1.5 4,-4\"}],[\"$\",\"line\",null,{\"stroke\":\"rgba(255,255,255,0.82)\",\"strokeWidth\":1.5,\"fill\":\"none\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"x1\":\"-5\",\"y1\":\"5\",\"x2\":\"5.5\",\"y2\":\"5\"}]]]}]],[\"$\",\"rect\",null,{\"x\":111.5,\"y\":58,\"width\":57,\"height\":32,\"rx\":16,\"fill\":\"rgba(0,0,0,0.32)\",\"stroke\":\"rgba(255,255,255,0.2)\",\"strokeWidth\":\"1\"}],[\"$\",\"text\",null,{\"x\":140,\"y\":74,\"textAnchor\":\"middle\",\"dominantBaseline\":\"central\",\"fontSize\":20,\"fontWeight\":\"700\",\"fill\":\"rgba(255,255,255,0.95)\",\"fontFamily\":\"system-ui, -apple-system, sans-serif\",\"letterSpacing\":\"-0.3\",\"children\":\"CSP\"}]]}]}]}],[\"$\",\"article\",null,{\"className\":\"blog-article\",\"children\":[[\"$\",\"header\",null,{\"className\":\"blog-article-header\",\"children\":[[\"$\",\"div\",null,{\"className\":\"blog-article-meta-top\",\"children\":null}],[\"$\",\"h1\",null,{\"className\":\"blog-article-title\",\"children\":\"CSP Explained: A Practical Guide to Content Security Policy\"}],[\"$\",\"p\",null,{\"className\":\"blog-article-subtitle\",\"children\":\"CSP explained clearly: what Content Security Policy is, which directives matter, how to deploy it safely, and how to monitor it so it never silently breaks.\"}],[\"$\",\"div\",null,{\"className\":\"blog-article-meta-top\",\"style\":{\"marginTop\":12},\"children\":[[\"$\",\"span\",null,{\"children\":\"1 June 2026\"}],[\"$\",\"span\",null,{\"children\":\"·\"}],[\"$\",\"span\",null,{\"children\":\"Uptrue Team\"}]]}]]}],false,\"$undefined\",[\"$\",\"div\",null,{\"className\":\"blog-article-body\",\"dangerouslySetInnerHTML\":{\"__html\":\"$1e\"}}],\"$L1f\",\"$undefined\",false,\"$L20\"]}]]}]\n"])</script><script>self.__next_f.push([1,"13:null\n"])</script><script>self.__next_f.push([1,"18:[[\"$\",\"title\",\"0\",{\"children\":\"CSP Explained: A Practical Guide to Content Security Policy | Uptrue | Uptrue Blog\"}],[\"$\",\"meta\",\"1\",{\"name\":\"description\",\"content\":\"CSP explained clearly: what Content Security Policy is, which directives matter, how to deploy it safely, and how to monitor it so it never silently breaks.\"}],[\"$\",\"meta\",\"2\",{\"name\":\"author\",\"content\":\"Vision Software Solutions Limited\"}],[\"$\",\"meta\",\"3\",{\"name\":\"keywords\",\"content\":\"uptime monitoring,website monitoring,server monitoring,performance monitoring,infrastructure monitoring,status page,incident management,SSL monitoring,DNS monitoring,agency monitoring,white-label monitoring,AI reports,downtime alerts,uptime checker\"}],[\"$\",\"meta\",\"4\",{\"name\":\"creator\",\"content\":\"Uptrue\"}],[\"$\",\"meta\",\"5\",{\"name\":\"publisher\",\"content\":\"Vision Software Solutions Limited\"}],[\"$\",\"meta\",\"6\",{\"name\":\"saashub-verification\",\"content\":\"l5obg5hu6ag6\"}],[\"$\",\"link\",\"7\",{\"rel\":\"canonical\",\"href\":\"https://uptrue.io/blog/csp-explained-guide\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:title\",\"content\":\"CSP Explained: A Practical Guide to Content Security Policy\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:description\",\"content\":\"CSP explained clearly: what Content Security Policy is, which directives matter, how to deploy it safely, and how to monitor it so it never silently breaks.\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:url\",\"content\":\"https://uptrue.io/blog/csp-explained-guide\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:type\",\"content\":\"article\"}],[\"$\",\"meta\",\"12\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"13\",{\"name\":\"twitter:title\",\"content\":\"Uptrue — Uptime Monitoring for Agencies \u0026 Teams\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:description\",\"content\":\"Monitor uptime, performance and infrastructure across all your sites. 10 monitor types, AI-powered reports, public status pages, and multi-channel alerts.\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:image\",\"content\":\"https://uptrue.io/opengraph-image\"}],[\"$\",\"link\",\"16\",{\"rel\":\"icon\",\"href\":\"/favicon.svg\",\"type\":\"image/svg+xml\"}],[\"$\",\"link\",\"17\",{\"rel\":\"apple-touch-icon\",\"href\":\"/favicon.svg\"}],[\"$\",\"$L21\",\"18\",{}]]\n"])</script><script>self.__next_f.push([1,"22:I[358981,[\"/_next/static/chunks/15p1b~ciy.iiw.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"/_next/static/chunks/05pi3py3cfs38.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"/_next/static/chunks/0-iznpjei-m1s.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\",\"/_next/static/chunks/0c0825n.37_1~.js?dpl=dpl_4LR5hKS1HftRyDetLsdEMQkaFkUg\"],\"BlogShareSubscribe\"]\n1f:[\"$\",\"$L22\",null,{\"title\":\"CSP Explained: A Practical Guide to Content Security Policy\",\"url\":\"https://uptrue.io/blog/csp-explained-guide\",\"category\":null}]\n20:[\"$\",\"footer\",null,{\"className\":\"blog-article-footer\",\"children\":[\"$\",\"div\",null,{\"className\":\"blog-author\",\"children\":[\"$\",\"div\",null,{\"className\":\"blog-author-info\",\"children\":[[\"$\",\"span\",null,{\"className\":\"blog-author-name\",\"children\":\"Uptrue Team\"}],[\"$\",\"span\",null,{\"className\":\"blog-author-role\",\"children\":\"Website Monitoring Platform\"}]]}]}]}]\n"])</script></body></html>