HTTP headers / response header
Content-Security-Policy: default-src 'self'; img-src *
Declares which sources the browser may load scripts, styles, images and more from — the big anti-XSS control.
Deploy as Content-Security-Policy-Report-Only first; a strict CSP shipped blind breaks inline scripts and third-party embeds instantly.
The fastest way to see what Content-Security-Policy is actually doing is to send the request and read both sides raw — ReqPad shows auto-generated and custom headers for every request, on all six protocols, with history. Related references: status codes · WWW-Authenticate · Content-Encoding · Transfer-Encoding · ETag · Last-Modified · Expires
Build the request, send it, read raw headers and timing — from your iPhone. Free to start.