CSP Content-Security-Policy header
A Content Security Policy (CSP) header is a passive security feature that can protect websites from attacks by defining a corresponding policy in the HTTP response header. The policy determines which resources (such as scripts, images, stylesheets, fonts, etc.) of a web page are considered safe and allowed to be loaded and executed by the browser.
By controlling these resources, CSP helps to mitigate risks such as:
- Cross-site scripting (XSS), where malicious scripts are injected into a web page.
- Data Injection, where harmful data is introduced into a site that can be executed.
- Clickjacking, by preventing the site from being embedded into an iframe or a malicious page.
The CSP default configuration default-src 'self'; img-src * in the CR HeaderRewrites is very strict and may have to be replaced by a custom configuration.
Troubleshooting and integration
Content Security Policies are not on/off directives but should be tailored to the application. Finding a strict production quality guideline for your application can be challenging, and the CSP standard constantly evolves. However, CSP-related resources and tools are freely available.
Useful resources and tools:
- CSP related standards are available by the W3C. A comprehensive CSP introduction article is also available on MDN Web Docs.
- Quick reference guides are available reference guide on MDN Web Docs or here CSP Quick Reference Guide.
- Pages like the Content Security Policy evaluator by Google can assist with reviewing CSP policies. The linked page also offers examples of unsafe and safe policies for illustration.
- Browser development tools like the browser console can help with troubleshooting and integration. Some browsers also offer CSP-related plugins.
- Browser functionalities can be checked on the CSP browser test page.