Content Security Policy Level 3

What it is

Content Security Policy Level 3 — a Working Draft from the W3C Web Application Security Working Group. Defines a header that lets a site declare which sources the browser may fetch or execute. Strict CSP (nonces or hashes plus 'strict-dynamic') is the modern XSS mitigation pattern.

Why it matters

A correctly-configured CSP turns most XSS findings from 'critical' into 'no impact'. Wrong CSP — wildcards, 'unsafe-inline', no script-src — provides false comfort with no actual protection.

Who it applies to

Every site rendering HTML — defense-in-depth against script injection.

How WQI scores it

Web Quality Index considers this standard satisfied when the supporting factor passes.

Related standards

See also

Security headers , SRI , XFO , Permissions-Policy

Standards that share factors with this one

Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.

• Cross-Origin isolation (COOP / COEP / CORP) 1 shared factor Security Three response headers that together unlock SharedArrayBuffer and high-resolution timers — and incidentally close a class of cross-origin side-channel leaks.
• HTTP Strict Transport Security 1 shared factor Security One header tells every future visitor 'always HTTPS, never HTTP, no exceptions'. Should ship everywhere; preload only after you're sure.
• ISO/IEC 27001:2022 1 shared factor Security International gold standard for an Information Security Management System. The 2022 revision restructures the Annex A controls to align with ISO 27002:2022.
• NIST Cybersecurity Framework 2.0 1 shared factor Security Voluntary, US-government-blessed taxonomy for cybersecurity programs. The 2.0 revision (Feb 2024) added a 'Govern' function alongside the original Identify / Protect / Detect / Respond / Recover.
• OWASP Top 10 (2025) 1 shared factor Security Industry consensus on the ten most critical web application security risks. The 2025 edition is current; 2021 is superseded but still widely referenced.

Other references

• guidance MDN — Content-Security-Policy
• tooling Google CSP Evaluator
• guidance OWASP CSP Cheat Sheet
• guidance web.dev — Strict CSP

Implementation guidance

• Cloudflare Cloudflare — set CSP via Transform Rules
• Generic web.dev — Mitigate XSS with Strict CSP
• Generic MDN — CSP guide