Content Security Policy(CSP)
An HTTP response header that tells browsers which sources of script, style, image and other content the page is allowed to load.
In detail
Content Security Policy (CSP) is a browser-enforced allowlist that limits where a page can load executable content from. A strict CSP rejects inline scripts, blocks unknown CDNs and prevents many XSS techniques even when the underlying vulnerability is present. CSP can be deployed in Report-Only mode first to catch breakage before enforcement. Modern best practice is a strict, nonce-based CSP, but a script-src allowlist is the pragmatic starting point for most production apps.
Why it matters for Australian business
For Australian businesses CSP is a defence-in-depth control. If the application has a stored XSS bug, CSP can prevent the attacker's script from running. For a security consultancy or any business handling sensitive data, CSP is also a visible posture signal. Tools like securityheaders.com grade public sites and a missing CSP is the most common ungraded reason. We ship CSP on every production engagement.