CSP

[tmackenzie]

Add the header, Content-Security-Policy with the default value, default-src: 'self'; The value should be able to be overridden in shape. Possibly with a group and target.

Doing so will make it harder for XSS attacks per OSWAP

Its specifically defined here

[tmackenzie]

This should be the application's responsibility via a before and or after.