A Content Security Policy, or CSP, helps protect your website from cross-site scripting attacks. It limits which resources the browser can load and adds an important layer of defense to your VPS setup. In this article, you learn how to configure CSP, test your rules safely, and improve your site’s overall security with additional headers.
What a Content Security Policy Does
CSP acts like a gatekeeper. It lets the browser know which scripts, images, or styles to trust. When a suspicious resource tries to load, the browser blocks it. Because of this behavior, CSP reduces the risk of unwanted scripts being executed on your site.
Add a Basic CSP Header
You can start with a simple configuration. When using Apache, open your configuration file and add the following line:
Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://trusted.cdn.com" This rule tells the browser to load scripts only from your domain and a trusted CDN. After you save the file, reload your server and refresh your browser to apply the changes.
If you use NGINX, add this header instead:
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://trusted.cdn.com"; Then run:
sudo systemctl reload nginx Reloading ensures your new security settings take effect.
Test Safely with Report-Only Mode
If you want to test your policy before enforcing it, enable CSP Report-Only mode. It reports violations without blocking anything:
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report-endpoint This approach helps you see what your future policy would block. You can check violations through your browser’s developer tools and adjust the rule set until everything works smoothly.
Block Mixed Content
Mixed content happens when your HTTPS site loads elements over HTTP. Modern browsers block some of these requests automatically. To avoid issues, update all resource URLs to HTTPS. Then let CSP enforce this behavior by keeping your allowed sources strictly secure.
Combine CSP with Other Security Headers
CSP is powerful on its own, yet it works even better when combined with other protections. Add the following headers to improve your site’s security:
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY Together, these headers strengthen user trust and increase your website’s safety. If you feel unsure about where to begin, you can use tools like Mozilla Observatory to create a ready-to-use policy.
Watch Our YouTube Video on Setting Up CSP
If you prefer a visual walkthrough, check out the connected YouTube video that this script is based on.
Conclusion
CSP is one of the most effective defenses against cross-site scripting attacks. You can implement it quickly, test it safely, and enhance it with related headers for stronger protection. These steps help secure your VPS setup and reduce risks caused by untrusted scripts.