Content Security Policy is the most effective browser measure for web application security in a decade, and one of the reasons why browser developers have started removing other security safeguards like their Cross-Site Scripting auditor. But creating an effective Content Security Policy is not always trivial. This session will discuss lessons learned from many CSP projects: What works, what issues there are, and what features we can look forward to.