Certified Information Systems Security Professional (CISSP) — Question 401

What Hypertext Transfer Protocol (HTTP) response header can be used to disable the execution of inline JavaScript and the execution of eval()-type functions?

Answer options

• A. X-XSS-Protection
• B. Content-Security-Policy
• C. X-Frame-Options
• D. Strict-Transport-Security

Correct answer: B

Explanation

The correct answer is B, Content-Security-Policy, as it allows you to define which sources of content are trusted, effectively blocking inline scripts and eval() functions. The other options, while related to security, do not specifically address the execution of inline JavaScript; A is for XSS protection, C is about framing, and D pertains to enforcing secure connections.