Built-in Addons:

Content Security Policy

One of the most important features your website needs to prevent various XSS (cross-site scripting) attacks is to employ special header entry called Content Security Policy (or CSP for short). CSP limits the browser from loading and running scripts, fonts, stylesheets, AJAX calls. You can specify which domains are allowed as sources for external files for various types of resources.

Some CSP Settings
Some CSP Settings

So, if a code is injected into your website that depends on running JavaScript from hackers own website, if your CSP is configured correctly, the browser will not load and execute that script because it belongs to a domain that is not authorized in CSP.

The plugin supports both Report and Live policy mode. With report mode, you can test CSP to make sure all files are loaded by the browser. And, you can enable logging of reports. Anytime browser detects the breach of CSP, it will send the report back to your website, and the plugin will process that request into the event log.

The plugin supports all currently active CSP elements according to both CSP 1 and CSP 2 specifications. CSP 2 is not fully supported by all browsers, but basic rules for scripts, styles, fonts and images work with all popular browsers.