Safeguarding your emails with strict Content Security Policy

Tuta's Content Security Policy aims at preventing XSS attacks. Because security is more than encrypting as much data as possible.

Padlock symbolizing encryption of data.

At Tuta Mail, we prioritize your security and privacy and build a service that's trusted by millions of people around the world. To achieve best-in-class security we use strict CSP (Content Security Policy), an HTML sanitizer for showing unknown content in emails to prevent cross-site-scripting (XSS) attacks, and block loading of external content by default. But what exactly does this mean for you?


Email, the modern from of communication that no one can go without, is very convenient as it allows us to quickly contact anyone in the world to start a conversation. However, with the convenience of email, comes the looming threat of cyber attacks, particularly cross-site-scripting (XSS) attacks, which can compromise the security of your inbox and personal information. These attacks are quite common against traditional email services due to how email is designed. At Tuta your security has utmost priority, and we have taken steps to protect all users of Tuta Mail from such threats. Through a stringent Content Security Policy (CSP) implementation an HTML sanitizer, we make sure that your mailbox is protected from malicious attacks.

What is CSP and why is it needed?

Content Security Policy (CSP) is a security standard that helps prevent malicious attacks such as cross-site scripting (XSS) and data injection attacks. CSP clearly specifies which content sources are allowed to be loaded when you open an email in the web client. Our implementation of CSP plays a crucial role in ensuring that only trusted content is displayed in your mailbox, mitigating the risk of malicious code execution. One of the key features of Tuta Mail’s CSP implementation is its HTML sanitizer, which acts as a robust defense mechanism against potentially harmful content embedded within emails. This sanitizer checks incoming emails for any suspicious code or scripts and removes them before they can pose a threat to the user’s device or data.

Blocking of external content

Furthermore, Tuta Mail blocks external content such as images and videos that can also contain malicious code or pixels for tracking purposes. This also means that any potentially risky content included in emails, such as remotely hosted images or scripts, is blocked by default, significantly reducing the likelihood of XSS attacks. But what if you receive legitimate content from trusted senders? Tuta Mail of course allows you to load external content manually – if you trust the sender. This can be easily done with a simple click in the email, and the decision can also be remembered for future emails. This information is stored in the browser cache so as long as the cache is not cleared, external content in trusted emails will automatically load in the future. This intuitive approach empowers you to make informed decisions about the content you choose to interact with, without compromising on security.

Screenshot einer Tuta-E-Mail, die externe Inhalte blockiert, mit der Frage, ob Sie die Bilder "Anzeigen", "Absender immer vertrauen" oder "Absender immer blockieren" möchten." Screenshot einer Tuta-E-Mail, die externe Inhalte blockiert, mit der Frage, ob Sie die Bilder "Anzeigen", "Absender immer vertrauen" oder "Absender immer blockieren" möchten." Screenshot of a Tuta email that blocks external content asking whether you want to “Show” the images, “Always trust sender” or “Always block sender”.

No tracking

Obviously, Tuta does not track you when using your private emails, calendars or contacts. On top of that, we do not only block loading of external content in emails for security reasons, but also to stop any kind of tracking. When you receive images or videos via email, these oftentimes contain pixels, for instance from marketing agencies. Blocking this content is crucial because email is the favorite tool of advertisers who try to track you and your online habits across multiple platforms.

Marketing people love email as they can include tracking pixels via embedding external content that you need to load from third-party servers. Via these pixels, they can know if you’ve opened an email, when you did so, whether you clicked any links included in the email, and more.

If a mail client loads external content such as images or videos by default – without asking for users’ consent, these tracking pixels are loaded along with the other data. That’s another reason why Tuta Mail blocks loading of external content.

Security first

Since our launch of Tutanota in 2014, the first end-to-end encrypted email service, we have focused on security.

Included in our robust security are many measures:

With all these measures, we make sure that Tuta Mail is the safest email provider. When it comes to protecting your inbox from malicious attacks, Tuta Mail is the best choice, and one that is already trusted by millions. With its unwavering commitment to implementing cutting-edge security measures, users can rest assured that their emails are safeguarded against XSS attacks and other cyber threats.

You can find more information on our high security standards on our security page.