Securing Single-page-application from CSRF and XSS using CSP + localStorage

Question

I have a single page application, having sensitive content, and needs to be secured. This question is specific with securing against XSS and CSRF attacks.

Explan

Answer 1

CSP is a rather new concept for me, but from what I know, my answer is: use them all. I'll try to elaborate.

1. CSP is relatively easy to implement. If you're dealing with sensitive content, the added cost of implementing it is worth the trouble. It can greatly improve your app security on browsers that support it.
2. It's a free lunch for those who can handle it - browsers that don't understand the header will simply ignore it.
3. Because of that however, you need to have all the standard measures in place.
4. CSP doesn't (and can't) prevent CSRF. Even if you forbid all scripts from executing, CSRF attacks are still possible if no per-request tokens are used.