HttpOnly
HttpOnly is a cookie directive provided by the server to a client (browser) when issuing a cookie. This directive prevents JavaScript executing within the browser from accessing the cookie - or at least through regular browser APIs, a script will be unable to read the cookie.
This mitigation prevents things like an attacker hijacking a user’s session using XSS to expose the cookie value and exfiltrate it. More on this mitigation is provided by OWASP:
Content security policy (CSP)
CSP is a header response provided by the server to a client (browser). CSP policies enable website administrators to direct to clients what content sources they should trust, and where they should get their content from. For example, if the server provides some HTML that attempts to load images, or other media from an external source, those external sources should be listed in the CSP or provided by the server itself.
This mitigation prevents things like an attacker injecting HTML to load frames with malicious content from a different server that’s untrusted by the original server. More on this mitigation is provided by Mozilla: