Which header helps reduce XSS by controlling where scripts can load from?

Problem Statement

CSP whitelists script sources and can block inline execution when designed well. It complements secure coding and output encoding to cut XSS risk.

SolutionRead Only

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com

This question appears in the following practice sets: