Content Security Policy

Content Security Policy (CSP) is about creating a whitelist of "things that are allowed to happen" on your website.

The idea is that if you only allow the good things, then the bad things can no longer happen.

The bad thing that CSP tries to prevent is a web vulnerability called Cross Site Scripting (XSS). XSS is a very prolific web vulnerability that is used in a number of attacks including account compromises, worms, credit card skimming and more.

What does Content Security Policy (CSP) look like?

Content-Security-Policy is an HTTP header. This is what the browser receives:

In this policy, javascript is allowed to be loaded from 'self' (the server that sent this policy), or google-analytics. CSS is allowed to be loaded by self, or cdn.bootstrap.com. Any violations of this policy is wrapped up into a json blob and sent to demo.endpoint.csper.io.

What makes Content Security Policy (CSP) hard?

There's two things that make Content-Security-Policy hard:

  • Figuring out and maintaining the list of "all the allowed things"
  • Figuring out how to restrict that list so that attackers can't use the "allowed things" to do "bad things"

How do I create a Content Security Policy (CSP)?

To create a Content Security Policy (CSP) you need to gather a list of all the external resources on your website. Thankfully you can use a feature of Content Security Policy called report-uri to do that work for you.

Here's a guide on creating a content security policy in minutes online.

An Introduction To Content Security Policy

An introduction to content security policy and cross site scripting.

Getting Started with Content Security Policy using NodeJS/Express and Csper

This guide covers building and installing content security policy (CSP) on a nodejs express server. This guide covers content security policy, generating a content security policy, report-uri, inline scripts, and deployment.

Other Security Features of Content Security Policy

Other security features of content security policy including upgrade-insecure-requests, block-all-mixed-content, frame-ancestors, sandbox, form-actions, and more