Content Security Policy (CSP) is an extra level of security that assists with locating and repelling specific intrusion types such as Cross-Site Scripting (XSS) and data injection. Data thieves utilize these for stealing information, vandalizing websites, and spreading malicious software.
CSP allows backward compatibility (although CSP version 2 has particular limitations). Browsers that don’t accommodate it still function with servers that do employ it, and the reverse is also true: browsers that do not accommodate CSP will pay no attention to it, normally, falling back on the typical same-origin policy for web content. If the site will not permit the CSP header, browsers will use the basic same-origin policy.
You can initiate CSP by having your webserver send the Content-Security-Policy HTTP header. (There could be times when you see references to the X-Content-Security-Policy header, but this is an obsolete version that no longer applies.)
You could also use
<meta>for setting up a policy, for instance:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">