Content Security Policy
CSP is an HTTP response header that tells the browser which sources of scripts, styles, and other content a page is allowed to load. A well-written policy is one of the strongest defenses against cross-site scripting, because injected script from an unapproved source simply will not run. Teams add and tune CSP during implementation and hardening, often starting in report-only mode to avoid breaking the site.