Answer
Content Security Policy reduces some cross-site scripting impact by restricting which scripts and other resources the browser may load or execute. • A strict policy can allow scripts through nonces or hashes instead of broad inline-script permission. • CSP is defense in depth and does not replace output encoding, sanitization, or secure application code. • Deploy policies through the `Content-Security-Policy` response header and test violations before enforcing.
💡 Simple Example
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">
⚡ Quick Revision
CSP limits script execution and resource sources, reducing XSS impact as one layer of defense.