Content Security Policy
One of the most important features your website needs to prevent various XSS (cross-site scripting) attacks is to employ special header entry called Content Security Policy (or CSP for short). CSP limits the browser from loading and running scripts, fonts, stylesheets, AJAX calls. You can specify which domains are allowed as sources for external files for various types of resources.
The plugin supports both Report and Live policy mode. With report mode, you can test CSP to make sure all files are loaded by the browser. And, you can enable logging of reports. Anytime browser detects the breach of CSP, it will send the report back to your website, and the plugin will process that request into the event log.
The plugin supports all currently active CSP elements according to both CSP 1 and CSP 2 specifications. CSP 2 is not fully supported by all browsers, but basic rules for scripts, styles, fonts and images work with all popular browsers.