Choose the best description of what CSP is designed to do.
Think about how CSP controls what content a browser can load.
CSP is a security feature that helps prevent attacks like cross-site scripting by restricting which scripts and resources can run or load on a web page.
Select the correct HTTP header name that delivers CSP rules to browsers.
Look for the header that directly mentions 'Content-Security-Policy'.
The standard header for CSP is 'Content-Security-Policy'. Older browsers used 'X-Content-Security-Policy', but it is deprecated.
script-src 'self' but the page tries to load an inline script?Analyze the effect of this CSP directive on inline scripts.
Consider what 'self' allows and how inline scripts are treated by default.
The directive script-src 'self' allows scripts only from the same origin but blocks inline scripts unless additional directives like 'unsafe-inline' or nonces are used.
default-src and script-src directives in CSP.Which statement correctly explains their relationship?
Think about how CSP applies general and specific rules.
default-src is a general fallback for all resource types. If a specific directive like script-src is present, it overrides default-src for scripts.
Content-Security-Policy: default-src 'none'; img-src https://images.example.com; script-src 'self' 'nonce-abc123', which of the following is true?Analyze which resources are allowed to load or execute.
Consider how each directive limits resource loading and the role of 'none' in default-src.
The default-src 'none' blocks all resources by default. The img-src allows images only from the specified domain. The script-src allows scripts from the same origin ('self') or inline scripts with the specified nonce. All other resources are blocked.