What Are Security Headers?
HTTP security headers are instructions sent from your web server to the browser with every response. They cost almost nothing to implement and defend against a range of common attacks including cross-site scripting, clickjacking, and man-in-the-middle attacks.
Content-Security-Policy (CSP)
CSP is the most powerful — and most complex — security header. It tells the browser which sources of scripts, styles, images, and other resources are allowed to load.
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-abc123'; object-src 'none'What it prevents: Cross-site scripting (XSS). If an attacker injects a