In order to protect your application on the client side, content security filtering (CSP) has been introduced. It is basically an HTTP Header added by your web application to instruct a browser to handle content in a certain secure way.
Unfortunately, as it is dependent on the browser technology, not all browsers support CSP and not all browsers act on the same HTTP Header. However, for most recent browsers you can improve your overall security by introducing CSP. Older browsers will not use this additional safety.
You can enable CSP fully or in reporting mode. Fully means that the browser will block all non-allowed elements. In reporting mode, means that the browser will send reports back to the server of all things that are not allowed. These reports are posted in to a REST service hosted by your application. This is a nice way for developers to test their application and see whether or not everything works fine with CSP enabled.
Enabling CSP & AngularJS
Enabling CSP has impact on the frameworks you are using. Suppose you are using AngularJS and/or BootStrap. Then you might need to set up things a bit different.
In AngularJS 1.3.9 you need to include a stylesheet angular-csp.css seperately. Also, you should add ng-csp as an attribute in your html tag.
Then start debugging in your browser to see what goes wrong and should be changed in your application to make it more safe.
The HTTP Headers you should provide are at least the following:
The values can be the same for each header, but this will cover most browsers. -Report-Only can be added in reporting mode.
For more info see the official web sites on CSP and check out sample implementations on OWASP.
You should start using CSP early in your project development. Because it will be hard to fix all non compliant issues later on.