CSP Content-Security-Policy header

A Content Security Policy (CSP) header is a passive security feature that can protect websites from attacks by defining a corresponding policy in the HTTP response header. The policy determines which resources (such as scripts, images, stylesheets, fonts, etc.) of a web page are considered safe and allowed to be loaded and executed by the browser.

By controlling these resources, CSP helps to mitigate risks such as:
Cross-site scripting (XSS), where malicious scripts are injected into a web page.
Data Injection, where harmful data is introduced into a site that can be executed.
Clickjacking, by preventing the site from being embedded into an iframe or a malicious page.

The CSP default configuration default-src 'self'; img-src * in the CR HeaderRewrites is very strict and may have to be replaced by a custom configuration.

Troubleshooting and integration

Content Security Policies are not on/off directives but should be tailored to the application. Finding a strict production quality guideline for your application can be challenging, and the CSP standard constantly evolves. However, CSP-related resources and tools are freely available.

Useful resources and tools:
CSP related standards are available by the W3C. A comprehensive CSP introduction article is also available on MDN Web Docs.
Quick reference guides are available reference guide on MDN Web Docs or here CSP Quick Reference Guide.
Pages like the Content Security Policy evaluator by Google can assist with reviewing CSP policies. The linked page also offers examples of unsafe and safe policies for illustration.
Browser development tools like the browser console can help with troubleshooting and integration. Some browsers also offer CSP-related plugins.
Browser functionalities can be checked on the CSP browser test page.

Further information and links

API Reference:
CR HeaderRewrites reference documentation