CSP is the last line of defense that stops XSS scripts from executing even if injected. Directive syntax, nonce approach, Next.js config, and a safe rollout strategy — all covered.
A comprehensive deep dive into client-side storage. From Cookies to IndexedDB and the Cache API. We explore security best practices for JWT storage (XSS vs CSRF), performance implications of synchronous APIs, and how to build offline-first applications using Service Workers.
App crashes only in Release mode? It's likely ProGuard/R8. Learn how to debug obfuscated stack traces, use `@Keep` annotations, and analyze `usage.txt`.
Bitcoin is just part of it. How to create trust without a central authority, principles of decentralization, smart contracts, gas fees, Layer 2 solutions, DAOs, and the Oracle Problem.
Why your server isn't hacked. From 'Packet Filtering' checking ports/IPs to AWS Security Groups. Evolution of Firewalls.
The first line of XSS defense is input escaping — converting <, >, " in user input so injected scripts can't execute.
But it's not perfect. A third-party library might have a vulnerability. Legacy code might have dangerouslySetInnerHTML lurking somewhere. A rich text editor might sanitize incompletely. Countless ways a XSS payload can slip into the HTML.
CSP is the second line of defense: "the payload got injected — but it won't execute."
Analogy: first line is "don't let bad things in." CSP is "even if they got in, they can't operate."
CSP is an HTTP response header. It tells the browser which resources, from which sources, are allowed to load on the page.
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com
With this header, the browser:
self (same origin)https://trusted-cdn.com<!-- Allowed -->
<script src="/app.js"></script>
<script src="https://trusted-cdn.com/lib.js"></script>
<!-- Blocked (inline script) -->
<script>alert('XSS')</script>
<!-- Blocked (unauthorized external domain) -->
<script src="https://evil.com/malware.js"></script>
XSS attacks inject scripts into the page. CSP stops those scripts from executing.
CSP is composed of directives, each controlling a specific resource type.
Fallback for any directive not explicitly set.
Content-Security-Policy: default-src 'self'
Controls JavaScript execution sources.
# Own origin + specific CDNs only
script-src 'self' https://cdn.jsdelivr.net https://www.googletagmanager.com
# unsafe-inline: allows inline scripts (weakens XSS protection — avoid)
script-src 'self' 'unsafe-inline'
# unsafe-eval: allows eval() (more dangerous — never use in production)
script-src 'self' 'unsafe-eval'
Controls CSS sources.
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com
Controls image sources.
# data: URI for base64 inline images
img-src 'self' data: https://images.example.com
Controls fetch, XHR, WebSocket.
connect-src 'self' https://api.example.com wss://ws.example.com
Controls who can embed this page in an iframe (clickjacking protection).
frame-ancestors 'none' # No iframe embedding allowed
frame-ancestors 'self' # Only same-origin iframes
Content-Security-Policy:
default-src 'self';
script-src 'self' https://www.googletagmanager.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data: https://images.example.com;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self' https://api.example.com;
frame-ancestors 'none';
form-action 'self';
base-uri 'self';
object-src 'none'
unsafe-inline allows inline scripts, weakening XSS protection. But sometimes inline scripts are unavoidable. That's where nonces come in.
The server generates a random nonce per request, placing it in both the CSP header and the inline script tag. The browser only executes scripts whose nonce matches the CSP header.
Even if an attacker injects <script> via XSS, they don't know the nonce — it's random per request, unpredictable.
// Next.js middleware — generate nonce per request
import { NextRequest, NextResponse } from "next/server";
export function middleware(request: NextRequest) {
const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
const cspHeader = `
default-src 'self';
script-src 'self' 'nonce-${nonce}' 'strict-dynamic';
style-src 'self' 'nonce-${nonce}';
img-src 'self' blob: data:;
font-src 'self';
object-src 'none';
base-uri 'self';
form-action 'self';
frame-ancestors 'none';
upgrade-insecure-requests;
`.replace(/\s{2,}/g, " ").trim();
const response = NextResponse.next();
response.headers.set("Content-Security-Policy", cspHeader);
response.headers.set("x-nonce", nonce);
return response;
}
// Next.js Server Component — read and use nonce
import { headers } from "next/headers";
import Script from "next/script";
export default async function RootLayout({ children }: { children: React.ReactNode }) {
const nonce = (await headers()).get("x-nonce") ?? "";
return (
<html>
<head>
{/* Inline script with nonce passes CSP */}
<script nonce={nonce} dangerouslySetInnerHTML={{
__html: `window.__INITIAL_DATA__ = ${JSON.stringify(initialData)}`,
}} />
</head>
<body>
{children}
<Script
src="https://www.googletagmanager.com/gtag/js"
strategy="afterInteractive"
nonce={nonce}
/>
</body>
</html>
);
}
Combined with a nonce, strict-dynamic allows scripts loaded dynamically by nonced scripts to also execute — without needing origin-based whitelists.
script-src 'nonce-{RANDOM}' 'strict-dynamic'
# 'self' and URL sources are ignored when strict-dynamic is present
Nonces suit dynamic pages. For static inline scripts, hashes work too.
import crypto from "crypto";
const inlineScript = `console.log("Hello, World!")`;
const hash = crypto.createHash("sha256").update(inlineScript).digest("base64");
// CSP: script-src 'sha256-{hash}'
<!-- This exact script is allowed if its hash is in CSP -->
<script>console.log("Hello, World!")</script>
If the script changes even slightly, the hash changes and CSP must be updated. For frequently changing scripts, nonces are more practical.
Applying CSP immediately can break existing scripts. Use Report-Only first to collect violations.
Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; report-uri /csp-report
// Collect violation reports
app.post("/csp-report", express.json({ type: "application/csp-report" }), (req, res) => {
const report = req.body["csp-report"];
console.warn("CSP Violation:", {
documentUri: report["document-uri"],
violatedDirective: report["violated-directive"],
blockedUri: report["blocked-uri"],
sourceFile: report["source-file"],
lineNumber: report["line-number"],
});
res.status(204).end();
});
Collect violations, build your whitelist, then switch to enforcing mode.
// next.config.ts
const nextConfig: NextConfig = {
async headers() {
return [
{
source: "/(.*)",
headers: [
{
key: "Content-Security-Policy",
value: [
"default-src 'self'",
"script-src 'self' https://www.googletagmanager.com",
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: https:",
"font-src 'self'",
"connect-src 'self' https://api.example.com",
"frame-ancestors 'none'",
"form-action 'self'",
"object-src 'none'",
"base-uri 'self'",
"upgrade-insecure-requests",
].join("; "),
},
{ key: "X-Frame-Options", value: "DENY" },
{ key: "X-Content-Type-Options", value: "nosniff" },
{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
],
},
];
},
};
// middleware — dynamic nonce-based CSP
export default async function middleware(request: NextRequest) {
const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
const csp = [
`default-src 'self'`,
`script-src 'self' 'nonce-${nonce}' 'strict-dynamic' https:`,
`style-src 'self' 'unsafe-inline'`,
`img-src 'self' data: https:`,
`font-src 'self' https://fonts.gstatic.com`,
`connect-src 'self' https://api.example.com`,
`frame-ancestors 'none'`,
`object-src 'none'`,
`base-uri 'self'`,
`upgrade-insecure-requests`,
].join("; ");
const response = intlMiddleware(request);
response.headers.set("Content-Security-Policy", csp);
response.headers.set("x-nonce", nonce);
return response;
}
# This largely defeats the purpose of CSP
script-src 'self' 'unsafe-inline' 'unsafe-eval'
unsafe-inline means injected <script> tags work. Use nonces instead.
# Too loose
script-src *
# Better
script-src 'self' https://cdn.example.com
Google Analytics, Intercom, Hotjar — many load additional scripts dynamically or use inline styles.
# GTM requires this
script-src 'self' https://www.googletagmanager.com 'nonce-{RANDOM}' 'strict-dynamic'
With strict-dynamic, GTM-loaded scripts work without individually whitelisting each URL.
Some bundlers and template engines call eval().
EvalError: Refused to evaluate a string as JavaScript
because 'unsafe-eval' is not an allowed source...
Check if this is only in development mode (webpack uses eval for source maps in dev). Switch to devtool: 'source-map' for production builds.
Step 1: Report-Only for 2-4 weeks
Content-Security-Policy-Report-Only: default-src 'self'; ...; report-uri /csp-report
Step 2: Analyze violations → add required sources to whitelist
Step 3: Apply loose CSP in enforcement mode
script-src 'self' 'unsafe-inline' ...
Step 4: Remove unsafe-inline → migrate to nonce approach
Step 5: Add strict-dynamic to tighten further
This sequence prevents sudden feature breakage.
Mozilla Observatory — rates CSP and all security headers
https://observatory.mozilla.org
CSP Evaluator (Google) — checks for weaknesses in your policy
https://csp-evaluator.withgoogle.com
Security Headers — scans and grades your response headers
https://securityheaders.com
CSP is powerful but not a silver bullet.
frame-ancestors helps, but also set X-Frame-Options as belt-and-suspenders.CSP setup is complex and debugging can be painful, but it's the strongest browser-level defense against XSS.
Key points:
unsafe-inline and unsafe-eval — use noncesstrict-dynamic eliminates origin-based whitelists for script-loaded scriptsInput escaping + CSP together create a robust two-layer defense against XSS.