A Content Security Policy (CSP) is sent via the Content-Security-Policy response header. It tells the browser which origins are trusted sources of scripts, stylesheets, images, fonts, frames, etc. Anything not on the allow-list is blocked, including inline scripts and event handlers (the most common XSS attack surface).
Roll out via Content-Security-Policy-Report-Only first: the header has the same syntax but the browser only logs violations rather than enforcing them. Watch the report stream for a week, fix the legitimate violations, then promote to enforcement by switching to Content-Security-Policy.
A strong CSP eliminates XSS as a class of vulnerability. The minimum useful baseline: default-src 'self'; script-src 'self' 'unsafe-inline' (drop 'unsafe-inline' once you've moved to nonces or hashes for any required inline scripts).