CSP

A Content-Security-Policy is a response header that whitelists where a page may load scripts, styles, images, and frames from — and, critically, whether inline scripts may run at all. A well-built CSP is the single most effective defence against cross-site scripting (XSS): even if an attacker injects a <script> tag, the browser refuses to execute it. The hard part is enumerating your real sources.