Content Security Policy Headers allow us to do exactly that in the browsers that understand these headers (which all modern browsers do). So if we install one of these headers we can make our site more secure against hackers by blocking code from running where we don't want it to run.
These get combined together in defining your security policy. The following CSP allows access to everything on the local domain as well as Google analytics and CDN scripts. If default-src were to be set to 'none' then objects, frames, media etc would be blocked.
default-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com; connect-src 'self'; img-src 'self'; style-src 'self';
So how do you add these headers to your site? Well the simplest way is to just add the header to your entire hosting. How you do this depends on which server your site is running. Here's how to apply it to an entire server:
Header set Content-Security-Policy "default-src 'self';"
add_header Content-Security-Policy "default-src 'self';";
<system.webServer> <httpProtocol> <customHeaders> <add name="Content-Security-Policy" value="default-src 'self';"/> </customHeaders> </httpProtocol> </system.webServer>
You can also apply this on a page by page basis by writing the headers from whichever programming language you are using on the server to generate the web pages.