# Content Security Policies: Let’s Break Stuff

• CSP policies let you limit the amount of damage an XSS vulnerability can cause
• Hard to get right the first time (especially in its interactions with browser extensions), but report-uri and Content-Security-Policy-Report-Only make this easier to manage
• Use a nonce to safely allow trusted inline scripts.
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Edit