W3C CSP Level 3W3CMust KnowProduct

Content Security Policy Level 3

State & Sessions·World Wide Web Consortium

WHY YOU NEED THIS

A well-configured CSP is the strongest mitigation against XSS. Required by modern security audits and browser hardening.

What It Defines

Defines the Content-Security-Policy HTTP header. Controls what scripts, styles, images, frames, and other resources a page may load or execute. Primary defense against XSS attacks.

Canonical (Normative)

W3C CSP Level 3

Convenient (Practical)

MDN CSP OWASP CSP Cheat Sheet

cspsecurityxssbrowserheaders

Standards Body

World Wide Web Consortium

Publishes web platform specs including CSS, accessibility, security policies, Service Workers, Web App Manifest, and many browser APIs. Also maintains some versioned HTML/DOM specs.

Visit

Related Specs

Fetch Standard §CORSWHATWGMust Know

CORS

Every browser-side API call to a different origin hits CORS. Misconfigured CORS is a top source of dev frustration and security holes.

ProductState & Sessions

Details

RFC 9110RFCMust Know

HTTP Semantics

This is the core contract of every web API, browser request, and server response. You can't design or debug HTTP without knowing this.

ProductHTTP

Details