Implementing Content Security Policy (CSP)
Content Security Policy is a browser feature that allows us to make our apps more secure by helping us prevent Cross Site Scripting(XSS) and content injection attacks. The way it does this is by giving us control over where resources will be loaded from and executed.
Even though CSP is supported by most browsers, you should always develop your apps thinking of the worst case scenario (The browser not supporting CSP). The golden security rule for web apps is: Filter input, escape output.
Enabling CSP requires us to configure our server to add a header to our document response. The most restrictive(and safest) value for this header would be:
1
Content-Security-Policy: default-src 'none';