What is Content Security Policy (CSP) and what does it protect against?

CSP is a security header that restricts what resources a page can load and execute. **It helps prevent:** - XSS (by blocking inline scripts and untrusted sources) - Data exfiltration via untrusted endpoints **Common directives:** `default-src`, `script-src`, `style-src`, `img-src`, `connect-src`. Start with report-only mode, then tighten policies gradually.