How Content Security Policy (CSP) Secures Web Clients?

How Content Security Policy (CSP) Secures Web Clients

What is Content Security Policy (CSP)?

What is Content Security Policy (CSP)

Content Security Policy (CSP) is an additional layer of security on the HTTP browser traffic to mitigate Cross-Site-Scripting (XSS), data injection attacks.

CSP is designed to be backwards compatible, i.e. when browsers do not support CSP, it defaults to the same-origin policy for web content.

Configuration

CSP configuration requires the web server to return the Content-Security-Policy HTTP header.

				
					Content-Security-Policy: policy-directive; policy-directive
				
			

The primary objective of CSP is to prevent XSS. XSS exploits the browser’s trust in all the content being loaded by the document to inject malicious executable scripts. A CSP compatible browser only executes scripts and resource files specified by the policy directives in the CSP HTTP header.

				
					Content-Security-Policy: default-src 'self'; img-src *; media-src prophaze.com *.prophaze.com; script-src js.prophaze.com
				
			

In this instance the web admin wants the default content to load from the website’s own origin (note ‘self’), images from anywhere on the internet (note wildcard ‘*’), media from prophaze.com and all its subdomains, and javascript from js.prophaze.com.

The web admin can also specify resources to specifically load over https.

				
					Content-Security-Policy: default-src 'self' https://prophaze.com
				
			

For deployment purposes, CSP can be deployed in a report-only mode where by policy, any CSP violation is reported to the value specified in the header through a POST request.

				
					Content-Security-Policy-Report-Only: to-test-policy
Content-Security-Policy: default-src 'self' https://prophaze.com; report-uri /dev/report-csp
				
			

In the above example, all violations will be reported to /dev/report-csp on origin.

Facebook
Twitter
LinkedIn

Recent Posts

Follow Us

Web Application Firewall Solution