Parse and audit a Content-Security-Policy header - detect unsafe-inline, unsafe-eval, wildcards, missing directives, and known bypass patterns.
Content-Security-Policy is a defense-in-depth header that tells the browser which sources are allowed for scripts, styles, images, fonts, frames, and other resource types. A well-crafted CSP can mitigate XSS, clickjacking, data exfiltration, and mixed content attacks.
Specs: CSP Level 3 (W3C) · CSP cheat sheet · Google CSP Evaluator
Common pitfalls: 'unsafe-inline' defeats the main purpose of CSP for XSS prevention; 'unsafe-eval' permits eval() and new Function(); wildcard hosts
(*, *.googleapis.com) widen the attack surface; missing frame-ancestors leaves the page exploitable to clickjacking even with X-Frame-Options.