<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Ayman Eldawy</title>
    <description>The latest articles on DEV Community by Ayman Eldawy (@aymaneldawy).</description>
    <link>https://dev.to/aymaneldawy</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F185073%2F9f223d8a-2fa1-44b5-904e-6db1d3ff91c9.jpg</url>
      <title>DEV Community: Ayman Eldawy</title>
      <link>https://dev.to/aymaneldawy</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/aymaneldawy"/>
    <language>en</language>
    <item>
      <title>What is Content Security Policy (CSP)?</title>
      <dc:creator>Ayman Eldawy</dc:creator>
      <pubDate>Thu, 02 Jul 2026 07:43:56 +0000</pubDate>
      <link>https://dev.to/aymaneldawy/what-is-content-security-policy-csp-p6p</link>
      <guid>https://dev.to/aymaneldawy/what-is-content-security-policy-csp-p6p</guid>
      <description>&lt;p&gt;One of the most important, yet often underrated, topics in frontend security is &lt;strong&gt;Content Security Policy (CSP)&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;You can think of CSP as a set of instructions you give the browser, telling it &lt;strong&gt;what is allowed to run and what should be blocked&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Let's break it down.&lt;/p&gt;

&lt;h2&gt;
  
  
  What is CSP?
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Content Security Policy (CSP)&lt;/strong&gt; is an &lt;strong&gt;HTTP response header&lt;/strong&gt; that you configure on your server to tell the browser which sources are trusted for loading resources such as:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;JavaScript&lt;/li&gt;
&lt;li&gt;CSS&lt;/li&gt;
&lt;li&gt;Images&lt;/li&gt;
&lt;li&gt;Videos&lt;/li&gt;
&lt;li&gt;Fonts&lt;/li&gt;
&lt;li&gt;And other assets&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Imagine the browser has a &lt;strong&gt;whitelist&lt;/strong&gt; of trusted sources. Whenever it tries to load a resource, it checks whether that source is on the list.&lt;/p&gt;

&lt;p&gt;If the source isn't trusted, the browser simply blocks it.&lt;/p&gt;

&lt;p&gt;This makes it much harder for attackers to inject and execute malicious code on your website.&lt;/p&gt;




&lt;h2&gt;
  
  
  What problem does CSP solve?
&lt;/h2&gt;

&lt;p&gt;The primary problem CSP helps mitigate is &lt;strong&gt;Cross-Site Scripting (XSS)&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;An XSS attack allows an attacker to inject malicious JavaScript into your application. Once executed, that script could:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Steal cookies&lt;/li&gt;
&lt;li&gt;Read data from Local Storage&lt;/li&gt;
&lt;li&gt;Modify the page&lt;/li&gt;
&lt;li&gt;Perform actions on behalf of the user&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How does CSP stop this?
&lt;/h3&gt;

&lt;p&gt;Even if an attacker successfully injects JavaScript into your page, the browser will first check your CSP policy.&lt;/p&gt;

&lt;p&gt;If that script doesn't come from an approved source, &lt;strong&gt;the browser refuses to execute it&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;In many cases, the attack simply fails before any malicious code runs.&lt;/p&gt;




&lt;h2&gt;
  
  
  CSP helps with more than XSS
&lt;/h2&gt;

&lt;p&gt;Although CSP is mainly known for mitigating XSS attacks, it can also help reduce other security risks, including:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Clickjacking&lt;/li&gt;
&lt;li&gt;Loading untrusted third-party resources&lt;/li&gt;
&lt;li&gt;Restricting iframes&lt;/li&gt;
&lt;li&gt;Controlling redirects&lt;/li&gt;
&lt;li&gt;Restricting form submissions&lt;/li&gt;
&lt;li&gt;Controlling where images, fonts, stylesheets, and scripts can be loaded from&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Despite being "just an HTTP header," CSP offers a surprisingly powerful security layer.&lt;/p&gt;

&lt;p&gt;The downside?&lt;/p&gt;

&lt;p&gt;Implementing a strict CSP can be challenging because you'll often need to carefully define every trusted resource your application depends on.&lt;/p&gt;




&lt;h2&gt;
  
  
  A simple example
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://example.com;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  What does this mean?
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;default-src 'self'&lt;/code&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;By default, resources should only be loaded from your own domain.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;code&gt;script-src 'self' https://example.com&lt;/code&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;JavaScript is only allowed to execute if it comes from your own website or from &lt;code&gt;https://example.com&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Any script loaded from another source will be blocked by the browser.&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;The stricter your policy becomes, the stronger your security.&lt;/p&gt;

&lt;p&gt;Of course, finding the right balance between security and usability can take some effort.&lt;/p&gt;

&lt;p&gt;If you're using &lt;strong&gt;Next.js&lt;/strong&gt;, you can follow this guide to show you how to configure CSP in your application.&lt;br&gt;
&lt;a href="https://nextjs.org/docs/app/guides/content-security-policy" rel="noopener noreferrer"&gt;https://nextjs.org/docs/app/guides/content-security-policy&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;If you're using &lt;strong&gt;Angular&lt;/strong&gt;, you'll also find official documentation covering CSP support.&lt;/p&gt;




&lt;p&gt;This is the first post in a series about &lt;strong&gt;Frontend Security&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Over the next few posts, we'll explore more real-world security topics that every frontend developer should understand.&lt;/p&gt;

</description>
      <category>csp</category>
      <category>security</category>
      <category>frontend</category>
      <category>javascript</category>
    </item>
  </channel>
</rss>
