Back to all articles
Best Practice Security

Understanding and applying Content Security Policy (CSP)

Content Security Policy (CSP) is an essential security feature that helps mitigate a variety of web security vulnerabilities, including Cross-Site Scripting (XSS) and data injection attacks. By allowing web developers to declare which sources the browser should allow to load content from, CSP provides a robust defense against malicious content injection, significantly enhancing web application security.

What is CSP and whats its purpose?

CSP is implemented by sending the Content-Security-Policy HTTP header from the web server or by including an equivalent <meta> element within the HTML of a page. This policy helps in specifying trusted sources and domains, thus preventing browsers from loading potentially malicious assets. The core aim of CSP is to prevent XSS attacks by restricting the sources from which content such as scripts, styles, and images can be loaded. It effectively blocks inline scripts and eval-like functions, which are common attack vectors for XSS.

The need for CSP arises from the evolving complexity of web attacks, offering a supplementary layer of security that works alongside traditional sanitization techniques. By controlling the sources of content that a browser can load, developers can shield their applications from attackers exploiting vulnerabilities to execute malicious scripts.

How to Test Using report-to

Testing your CSP implementation is crucial to ensure that the defined policies do not interfere with the functionality of your site while providing the intended security benefits. The report-to directive is a modern approach to CSP violation reporting, designed to replace the deprecated report-uri directive. It allows the browser to send reports of CSP violations to a specified endpoint, providing insights into any issues with the policy.

To utilize the report-to directive, it's necessary to define a reporting group in your CSP header:

Content-Security-Policy: default-src 'self'; report-to /csp-violation-report-endpoint

Additionally, you need to define the reporting group in the Report-To HTTP header:

Report-To: {"group":"default","max_age":10886400,"endpoints":[{"url":"https://yourdomain.com/report-csp-violations"}],"include_subdomains":true}

This setup instructs the browser to send JSON-formatted POST requests detailing the CSP violation to the specified URL, enabling ongoing monitoring and refinement of your CSP strategy.

CSP Directives and Examples

CSP's flexibility is evident in its array of directives, each tailored to control specific types of content. Below are key directives with examples to illustrate their usage:

  • default-src: Sets a default policy for loading resources like scripts, styles, images, fonts, media, frames, etc.
    Content-Security-Policy: default-src 'self';
  • script-src: Specifies valid sources for JavaScript, crucial for preventing XSS attacks.
    Content-Security-Policy: script-src 'self' https://apis.example.com;
  • style-src: Determines which CSS stylesheets are permissible.
    Content-Security-Policy: style-src 'self' 'unsafe-inline';

    Note: Using 'unsafe-inline' permits inline styles, which may be necessary for some applications but compromises security.

  • img-src: Defines allowed sources of images.
    Content-Security-Policy: img-src 'self' https://images.example.com;
  • connect-src: Restricts the origins to which you can connect (via XHR, WebSockets, and EventSource).
    Content-Security-Policy: connect-src 'self' https://api.example.com;
  • font-src: Indicates where fonts can be loaded from.
    Content-Security-Policy: font-src 'self' https://fonts.example.com;
  • object-src: Controls valid sources for the <object>, <embed>, and <applet> elements.
    Content-Security-Policy: object-src 'none';
  • report-to: Specifies where to send reports about policy violations.
    Content-Security-Policy: default-src 'self'; report-to /csp-violation

Employing these directives enables developers to fine-tune the security policies of their applications, ensuring that only trusted content is executed or displayed. It's vital to conduct thorough testing of your CSP to prevent blocking legitimate content or functionality on your site. As security threats evolve, regularly updating and adapting your CSP is necessary to counter new vulnerabilities and safeguard your web applications.