• Definition: A security header that tells browsers what content (scripts, styles, images) can load.

👉 Example:

Content-Security-Policy: default-src 'self'; script-src 'self' <https://cdn.example.com>

• default-src 'self' → only allow resources from same origin.
• script-src → whitelist trusted JavaScript sources.

✅ Prevents:

• XSS (injecting arbitrary scripts).
• Data injection attacks.

⚠️ Weak CSP (e.g., unsafe-inline) → makes CSP useless.

⚡ Pentesting Focus

• Look for missing/weak CSP.
• Test XSS payloads → if CSP blocks them, check bypass tricks (like JSONP endpoints, misconfigured whitelists).