nerdexam
(ISC)2

CISSP · Question #1223

What Hypertext Transfer Protocol (HTTP) response header can be used to disable the execution of inline JavaScript and the execution of eval()-type functions?

The correct answer is D. Content-Security-Policy. The Content-Security-Policy (CSP) HTTP response header allows web server administrators to control the sources and types of content that can be loaded and executed by web browsers. By specifying a CSP policy, the web server can prevent the execution of inline JavaScript and the e

Submitted by anjalisingh· Mar 5, 2026Software Development Security

Question

What Hypertext Transfer Protocol (HTTP) response header can be used to disable the execution of inline JavaScript and the execution of eval()-type functions?

Options

  • AStrict-Transport-Security
  • BX-XSS-Protection
  • CX-Frame-Options
  • DContent-Security-Policy

How the community answered

(40 responses)
  • A
    3% (1)
  • B
    8% (3)
  • C
    3% (1)
  • D
    88% (35)

Explanation

The Content-Security-Policy (CSP) HTTP response header allows web server administrators to control the sources and types of content that can be loaded and executed by web browsers. By specifying a CSP policy, the web server can prevent the execution of inline JavaScript and the execution of eval()- type functions, which are often used by attackers to inject malicious code into web pages. This can help mitigate cross-site scripting (XSS) attacks, which are a common web application security threat.

Topics

#HTTP security headers#Content Security Policy (CSP)#Web application security#XSS prevention

Community Discussion

No community discussion yet for this question.

Full CISSP Practice