CSP (Content Security Policy)

DEFINITION

Content Security Policy is an HTTP response header (or meta tag) that tells the browser which origins may serve scripts, styles, images, fonts, iframes, and which it may open connections to. A well-tuned CSP eliminates most stored-XSS and clickjacking risk, because attacker-injected inline script simply does not run. Common pitfalls: leaving 'unsafe-inline' or 'unsafe-eval' on for a CMS or legacy React, which effectively disables the protection (use nonces or hashes instead); shipping with no report-uri or report-to endpoint, so you have no idea what broke in production; adding third-party domains (Stripe, Sentry, Hotjar) and never pruning them; and misreading how Strict-Dynamic propagates trust. On a new project, ship in report-only mode first and only enforce once the report stream is quiet.

RELATED TERMS06

Threat model→
A structured exercise that walks the system's actors, attack surface, risks, and controls. Day one of every DField project · before any code.
Penetration test (pentest)→
Manual + tooled attack simulation that reveals what an attacker could achieve. We deliver findings as PRs in your repo, not an 80-page PDF.
DevSecOps→
Security as a continuously-running CI step (SAST, DAST, SCA, IaC scan), not an annual project. Runs against every push; every sprint closes at least one security bug.
MFA (Multi-factor auth)→
Two or more factors (TOTP, WebAuthn, biometric) beyond a password. Table-stakes in SaaS today · enterprise procurement disqualifies you without it.
SOC 2→
A US audit framework for confidentiality, integrity, availability, and privacy controls. For SaaS, the Type II audit (6-12 months of observation) is the standard enterprise baseline.
ISO 27001→
International standard for Information Security Management Systems (ISMS). Often preferred in Europe instead of or alongside SOC 2. 3-year certification cycle.

MENTIONED IN THE BLOG08