Published on

Content Security Policy: A Comprehensive Guide

Authors

Table of Contents

Content Security Policy: A Comprehensive Guide

Introduction

Content Security Policy (CSP) is an essential security mechanism that helps protect web applications against code injection attacks like Cross-Site Scripting (XSS). In this comprehensive guide, we will explore CSP, its directives, and how to implement it effectively to enhance your web application's security.

Understanding Content Security Policy

Content Security Policy is an added layer of defense that enables web developers to control the resources (e.g., scripts, styles, images) loaded on a web page. By defining a set of policies, developers can reduce the risk of XSS attacks and data breaches.

Why Content Security Policy Matters

CSP matters because it mitigates various security risks associated with code injection attacks. By enforcing a policy, web developers can control which sources are allowed to load resources, reducing the likelihood of malicious code execution.

Implementing Content Security Policy

Implementing a Content Security Policy requires understanding the different sources from which resources are loaded on your web page. The following are some common scenarios to consider:

1. Inline Scripts

Inline scripts are snippets of JavaScript embedded directly in HTML tags. Avoid using them whenever possible, as they can bypass CSP restrictions.

2. External Scripts

External scripts are loaded from separate files hosted on a different domain. Use the script-src directive to specify which domains are allowed to load scripts.

3. Styles

External stylesheets are loaded from separate files. Use the style-src directive to define the allowed sources for styles.

CSP Directives

CSP relies on various directives to define the allowed sources for different types of resources. Let's explore some common directives:

1. default-src

The default-src directive sets the default source for loading resources when no other directive is specified.

<meta http-equiv="Content-Security-Policy" content="default-src 'self';" />

2. script-src

The script-src directive specifies the sources from which scripts can be loaded.

<meta http-equiv="Content-Security-Policy" content="script-src 'self' cdn.example.com;" />

3. style-src

The style-src directive defines the allowed sources for stylesheets.

<meta http-equiv="Content-Security-Policy" content="style-src 'self' cdn.example.com;" />

4. img-src

The img-src directive controls the sources from which images can be loaded.

<meta http-equiv="Content-Security-Policy" content="img-src 'self' img.example.com data:;" />

5. connect-src

The connect-src directive restricts the domains to which the page can connect.

<meta http-equiv="Content-Security-Policy" content="connect-src 'self' api.example.com;" />

6. font-src

The font-src directive sets the allowed sources for web fonts.

<meta http-equiv="Content-Security-Policy" content="font-src 'self' fonts.example.com;" />

7. media-src

The media-src directive controls the sources for media files.

<meta http-equiv="Content-Security-Policy" content="media-src 'self' media.example.com;" />

8. object-src

The object-src directive defines the allowed sources for embedded objects.

<meta http-equiv="Content-Security-Policy" content="object-src 'none';" />

9. frame-src

The frame-src directive restricts the domains that can embed the page in an iframe.

<meta http-equiv="Content-Security-Policy" content="frame-src 'self' iframe.example.com;" />

10. sandbox

The sandbox directive restricts the capabilities of nested content in an iframe.

<meta http-equiv="Content-Security-Policy" content="sandbox allow-scripts allow-same-origin;" />

11. base-uri

The base-uri directive sets the allowed URIs for the base element.

<meta http-equiv="Content-Security-Policy" content="base-uri 'self' https://cdn.example.com;" />

12. form-action

The form-action directive controls the allowed sources for form submissions.

<meta http-equiv="Content-Security-Policy" content="form-action 'self' forms.example.com;" />

13. frame-ancestors

The frame-ancestors directive defines the domains that can embed the page in a frame.

<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self' allowed.example.com;" />

14. plugin-types

The plugin-types directive restricts the types of plugins that can be embedded on the page.

<meta
  http-equiv="Content-Security-Policy"
  content="plugin-types application/pdf application/x-shockwave-flash;"
/>

Using Nonces and Hashes

Nonces and hashes can be used to allow specific inline scripts or styles to execute, even in the presence of CSP restrictions.

Report-Only Mode

In the early stages of implementing CSP, you can use the report-only mode to collect violation reports without enforcing the policy.

Best Practices for Content Security Policy

  • Start with a restrictive policy and gradually loosen it as needed.
  • Regularly monitor violation reports and adjust your policy accordingly.
  • Always test your CSP in different browsers to ensure compatibility.

Conclusion

Content Security Policy is a potent security tool that helps prevent code injection attacks, enhancing your web application's security. By defining appropriate policies and following best practices, you can create a safer browsing experience for your users.

Resources

  1. MDN Web Docs: Content Security Policy (CSP)
  2. CSP Evaluator
  3. OWASP: Content Security Policy Cheat Sheet
  4. Scott Helme's Content Security Policy Blog
  5. Report URI: CSP Reporting