Security

Reference cards for web security primitives: Content Security Policy, Subresource Integrity, SameSite cookies, Trusted Types, COOP/COEP/CORP, and adjacent specs.

Content Security Policy: directives, nonces, and reporting

CSP is the response header that tells the browser which scripts, styles, frames, and connects are allowed to run. A correctly authored CSP eliminates whole classes of XSS attacks at the cost of a careful inventory of trusted sources.
Subresource Integrity (SRI)

SRI protects pages from compromised CDNs by pinning the cryptographic hash of an external script or stylesheet. The browser refuses to execute a resource whose hash does not match the integrity attribute.

Security

Content Security Policy: directives, nonces, and reporting

Subresource Integrity (SRI)