Loadingβ¦
Add a CSP to block cross-site scripting (XSS) by controlling what resources can load.
A Content-Security-Policy is the strongest defense against XSS β it tells the browser exactly which sources of scripts, styles and images to trust and blocks everything else. It is also a quality/trust signal.
Content-Security-Policy-Report-Only first to catch violations without breaking the site, then promote to enforcing.unsafe-inline/unsafe-eval by moving to nonces/hashes once the basics work.# No Content-Security-Policy headerContent-Security-Policy: default-src 'self'; script-src 'self' https://www.googletagmanager.com; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'Set the header via a security plugin or .htaccess. Test in report-only first β plugins inject inline scripts that a strict CSP will block.
Define CSP in headers() or middleware; use a nonce for inline scripts.
Run a free audit and get a prioritized fix list with auto-generated code.
Run a free audit