Strict CSP header with nonces instead of unsafe-inline, aligned with BSI IT-Grundschutz.
What is this, and when do I need it?
What is this?
Content Security Policy (CSP, level 3) is an HTTP response header that tells the browser
which sources it may load scripts, images, fonts, iframes etc. from. Anything not on the
list is blocked.
This stops Cross-Site Scripting (XSS) and the injection of foreign scripts via compromised
third parties - today's most common attack class against web apps.
Important: the header belongs in the server config (Nginx, Apache, Caddy,
IIS) - not as a <meta> tag in HTML, where it is partially ignored
and less strict.
When do I need it?
For every self-hosted web app with user login, forms, or embedded third-party scripts
(analytics, maps, embeds). For purely static marketing pages without input fields the value
is small, but it is best practice for BSI IT-Grundschutz compliance.
Rollout: first test with Content-Security-Policy-Report-Only plus a report endpoint, then after 2-4 weeks
without violations switch to enforcing.
{NONCE} is a placeholder your server must replace per request with a freshly generated, cryptographically
random value (at least 128 bits of entropy, base64-encoded). The same value must appear as the nonce="..." attribute on every
inline script the page ships.
report-to is the modern variant of CSP reporting. It requires the
accompanying HTTP response header Reporting-Endpoints: default="https://example.com/csp-report". Without that header the browser shows violations in the console but does not send reports. report-uri is deprecated but still read by every current browser and is the only
reporting mechanism Firefox currently supports - set both in parallel.
Note BSI APP.3.1: a strict CSP is a defense-in-depth measure - it sits alongside output
encoding, HttpOnly cookies and SameSite attributes in the layered defenses against XSS and
clickjacking. A nonce-based strict CSP per Google's pattern requires 'strict-dynamic', otherwise
dynamically inserted scripts get blocked.
Inspect security headers of a URL
Fetches the URL and checks CSP plus the usual web security headers (HSTS, X-Content-Type-Options, Permissions-Policy, etc.).
Try with:
Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.