CSP directives. Base-ic misconfigurations with big consequences

This report explains how misconfigured Content Security Policy (CSP) can undermine web security, showcasing a real-world-style XSS bypass caused by a missing `base-uri` directive that allowed external script loading via the HTML `base` tag. It details hardening strategies including enforcing `base-uri` to `self` or `none`, using nonces with `strict-dynamic` to safely load dependent scripts, avoiding dangerous directives like `unsafe-inline` and `unsafe-eval`, and adopting `frame-ancestors` in place of deprecated X-Frame-Options. The report also recommends using `Content-Security-Policy-Report-Only` during development to tune policies without user impact.