What is Content-Security-Policy (CSP) and how does it mitigate XSS?

CSP is a response header that restricts which sources the browser may load and execute (scripts, styles, frames, etc.). A strict policy — e.g. default-src 'self'; script-src 'nonce-<random>'; object-src 'none'; base-uri 'none' — blocks inline scripts and untrusted origins, so even injected markup won't execute. Best practice: nonce/hash-based script-src, avoid 'unsafe-inline'/'unsafe-eval', set object-src 'none' and frame-ancestors, and use report-to to monitor violations. CSP is defense-in-depth — a second layer behind contextual output encoding, not a replacement.