Content-Security-Policy (CSP) is an essential security header used to protect web applications from a variety of attacks, including Cross-Site Scripting (XSS), clickjacking, and data injection attacks.
How it Works!!
CSP allows website administrators to create a policy that specifies the origins from which content can be loaded on a webpage. By restricting the sources of scripts, images, fonts, styles, and other resources, CSP helps mitigate risks associated with untrusted content.
When the browser receives a webpage with a CSP header, it enforces the rules defined in that policy. If any resource tries to load from an unauthorized source, the browser blocks it and can report the violation.
Basic CSP Syntax
The CSP header consists of directives, each specifying a type of resource and the allowed sources for that resource.
Example CSP header:
Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.trusted.com
This example specifies:
default-src 'self'
: By default, content (like images, scripts, and styles) can only be loaded from the same origin as the webpage.script-src 'self' https://apis.trusted.com
: Scripts can be loaded from the same origin andhttps://apis.trusted.com
.
Common Directives
Here are some commonly used CSP directives:
default-src
: Sets the default source for all content types if not specified by a more specific directive.- Example:
default-src 'self'
- Example:
script-src
: Restricts the sources for JavaScript.- Example:
script-src 'self' https://trusted-scripts.com
- Example:
style-src
: Controls the sources for CSS stylesheets.- Example:
style-src 'self' 'unsafe-inline'
- Example:
img-src
: Limits the sources for images.- Example:
img-src 'self' data: https://images.example.com
- Example:
connect-src
: Limits the origins for AJAX, WebSocket, or Fetch API requests.- Example:
connect-src 'self' https://api.example.com
- Example:
frame-src
: Restricts the origins allowed to embed the page in iframes.- Example:
frame-src 'self'
- Example:
report-uri
/report-to
: Specifies where to send CSP violation reports.- Example:
report-uri https://example.com/csp-reports
- Example:
Best Practices for CSP
- Start with a restrictive policy:
- Use
'self'
to allow content only from your own domain.
- Use
- Avoid
unsafe-inline
andunsafe-eval
:- These weaken security by allowing inline scripts or dynamic code execution.
- Use Nonces or Hashes:
- Nonces (
'nonce-randomString'
) and hashes allow specific inline scripts and styles, reducing the risk associated withunsafe-inline
.
- Nonces (
- Monitor violations:
- Use
report-uri
orreport-to
to monitor and fine-tune your CSP policy.
- Use
Example of a Strong CSP
Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.example.com; style-src 'self'; img-src 'self' https://images.example.com; connect-src 'self'; frame-src 'none'; report-uri https://example.com/csp-reports
This CSP policy:
- Restricts all content to the site’s origin (
'self'
). - Allows scripts from the site origin and
https://apis.example.com
. - Allows images from the site origin and
https://images.example.com
. - Disallows iframes (
frame-src 'none'
). - Reports violations to
https://example.com/csp-reports
.
Benefits of Using CSP
- Mitigates XSS Attacks: By controlling script sources, CSP blocks malicious scripts injected into web pages.
- Prevents Data Injection: Stops unauthorized third-party resources from loading.
- Clickjacking Protection: Combined with other headers, CSP helps protect against clickjacking attacks.
- Enhances Security Posture: Helps enforce a stricter, more secure content-loading policy.
Implementing CSP is an essential step in securing modern web applications.
Visit https://suyashjain.com/posts/category/cybersecurity/ for more articles.