This documentation is outdated and available for historical reasons only. To learn how to enable strict Content Security Policy in your application, visit web.dev/strict-csp.

Resources

  • web.dev/strict-csp provides detailed guidance for enabling strict CSP
  • CSP Evaluator helps you check if a chosen CSP policy is secure.
  • CSP paper - an investigation of the state of CSP on the Web and security analysis of real-world policies.

  • Google Closure documentation serves as an example of how an HTML templating system can automatically add nonce attributes to <script> elements