With a defense-in-depth security approach, the CSP response header can be
added to instruct client browsers to block loading data that does not meet the
application’s security requirements. If configured correctly, this can prevent any attempt
to exploit XSS in the application.
Learn more here.