Content-Security-PolicyHTTP response header, but it can also be defined within a meta tag. With CSP developers can restrict how resources are loaded by the browser to help prevent attacks such as Cross Site Scripting (XSS) or other injection attacks.
The main reason CSP is deployed is to improve the security of your web sites or web applications. CSP is enforced at the browser level, so as long as your users have a modern browser (one built within the last 5 years), they should have excellent support available for CSP.
If your site loads a lot of third party content, it can be complex to create policies that work well with third party services. This can be especially challanging if the third party service is has not been implemented in a way that is friendly to CSP, for example if it injects scripts dynamically or injects inline styles.
CSP can be a great way to improve the security of your site, and signifantly reduce the likelihood of successful XSS attacks.
CSP can also be a great assist in achieving script authorization, script integrity and script inventory defined in PCI version 4.
Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.