## TL;DR

Content Security Policy (CSP) is a security standard that helps prevent XSS, clickjacking, and code injection attacks by controlling which resources a web page is allowed to load. It is delivered via HTTP headers (`Content-Security-Policy`) or `` tags.

## Core Explanation

Key directives: `default-src` (fallback), `script-src`, `style-src`, `img-src`, `connect-src` (fetch/XHR/WebSocket), `frame-ancestors` (clickjack protection), `form-action`. CSP supports nonces and hashes for inline scripts. `report-uri`/`report-to` sends violation reports. Strict CSP with `'nonce-...'` is the recommended deployment strategy.

## Further Reading

- [Content Security Policy Level 2 (W3C Recommendation)](https://www.w3.org/TR/CSP2/)