Content Security Policy (CSP) is a feature of modern web browsers which helps mitigate some content injection vulnerabilities in web applications. While it’s no substitute for writing a secure application, it’s useful in minimising the effect of these vulnerabilities.

I recently implemented a strict CSP in a reasonably old web application. As coding started in 2006, it used a few techniques which are a little out of date, and needed some work to cope with a CSP which was strict enough to be worth using.

I found I only needed to use a few strategies in making the required changes, and once I had the strategies in mind, converting old code to be CSP-compatible was pretty much a mechanical task. While a little dull, it was a welcome opportunity to review my old code and improve it.

Strategies for implementing Content Security Policy – Ben Summers’ Blog.