The Content-Security-Policy is a great little step to improve your XSS protection. In short you can define which content is allowed to be loaded through with channel. This can be added as a header in your backend like a Symfony API or directly configured in your apache config.
While the basics are quite simple, for a more advanced app you might need to setup a more complex configuration like the following I'm using with an Angular app.
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src http: https: 'self'; connect-src http: https: blob:;"
This is a snippet from the
Make sure to take a look into the Content-Security-Policy documentation from Mozilla.