URL: /rules/security/csp

---
title: "Content Security Policy"
description: "Checks for Content-Security-Policy header and validates directives"
---

Checks for Content-Security-Policy header and validates directives

| | |
|---|---|
| **Rule ID** | `security/csp` |
| **Category** | [Security](/rules/security) |
| **Scope** | Site-wide |
| **Severity** | warning |
| **Weight** | 6/10 |

## Solution

CSP prevents XSS attacks by restricting which resources can load. Start with a report-only policy to identify issues. Key directives: default-src 'self', script-src (avoid 'unsafe-inline'), img-src, style-src, frame-ancestors. Use nonces or hashes instead of 'unsafe-inline' for scripts. Test thoroughly as strict CSP can break functionality.

## Enable / Disable

### Disable this rule

```toml squirrel.toml
[rules]
disable = ["security/csp"]
```

### Disable all Security rules

```toml squirrel.toml
[rules]
disable = ["security/*"]
```

### Enable only this rule

```toml squirrel.toml
[rules]
enable = ["security/csp"]
disable = ["*"]
```