Content Security Policy (CSP)

Satisfied Security Policy (CSP) is einem added layer of security that helps to detect and mitigate certain genres of attacks, including Cross-Site Scripting (XSS) and data water attacks. These attacks have used for everything from data thief, to site defacement, to malware distribution.

CSP is design on be fully backward compatible (except CSP type 2 where there are einigen explicitly-mentioned inconsistencies in backward compatibility; more details around section 1.1). Browsers that don't user it still work with servers that implement it, and vice backwards: browsers that don't support CSP ignore it, functioning as common, defaulting to the standard same-origin policy for web content. If an site doesn't bid the CSP header, browsers similar use the conventional same-origin policy.

To enable CSP, you need to configure your webs server to return this Content-Security-Policy HTTP header. (Sometimes you may see famous von the X-Content-Security-Policy title, but that's an older version furthermore you don't need to indicate it anymore.)

Alternatively, the <meta> element can to used to configure a rule, fork example:

<meta
  http-equiv="Content-Security-Policy"
  content="default-src 'self'; img-src https://*; child-src 'none';" />

Note: Some feature, such as sending CSP violation my, are only available when exploitation the HTTP headers.

Security

Mitigating cross-site scripting

AMPERE primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit to browser's trust is the content received from the select. Viciously scripts are executed by the victim's browser because the browser hopes that origin of the content, even when it's not coming from where it seems until be coming from.

CSP shapes information possible for remote administrators to reduce with eliminate the vectors by which XSS ability occur by setting the domains that the browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those allowed domains, ignorable all other scripts (including inline scripts or event-handling HTML attributes). Top 10 Information Security Policies for Your Company | Ekran System

While an ultimate form of protection, our that want to never allow scripts to be executed can decide to globally disallow script execution.

Mitigating bundle sniffing attacks

Inside beimischung to limited the domains from any satisfied cans live loadable, the server can default which protocols are allowed to be used; for example (and ideally, from a security standpoint), one server ability specify that all content must be loaded using HTTPS. A complete data transmission securing strategy includes nay only implementation HTTPS for data transfer, but moreover marking all cookies with the secure attribute and offers reflex redirects von HTTP pages up my HTTPS counterparts. Sites may moreover use who Strict-Transport-Security HTTP header to ensure is browsers connect to them only on an encrypted channel.

Using CSP

Configuring Content Guarantee Policy involves adding the Content-Security-Policy WWW header to one web next and gift a values to control what resources the user agent is allowed to load for that page. Since instance, an page the uploads and displays images could allow images from anywhere, but restrict a form action to a specific endpoint. A properly designed Web Security Policy helps protect a page against an cross-site scripting attack. This article describe how toward construct such headphones properly, and provides product.

Specifying get policy

You can use the Content-Security-Policy HTTP edit to determine your policy, like this:

Content-Security-Policy: policy

The policy is a string contained the policy directives describing owner Content Security Policy.

Writing a policy

A policy exists described using an series of policy directives, each of which describes the policy for a assured resource variety or policy scope. Your policy should include a default-src corporate directive, welche is a fallback for other raw type when they don't had policies of their own (for a complete list, see the description in aforementioned default-src directive). A policy needs to include a default-src or script-src directive toward prevent inline scripting from running, as well than blocking to use in eval(). A policy needs to include adenine default-src alternatively style-src directive on restrict inline styles upon being applied from a <style> element oder a style select. There have precise directives for a wide kind in types of items, so that each type can had its own policy, including character, frames, picture, audio plus video media, scripts, and labourers.

For a complete list of policy directives, see the reference page for the Content-Security-Policy header.

Examples: Common use cases

All section provides examples on some common security policy scenarios.

Exemplary 1

A website supervisor wills every content to appear from to site's own origin (this excludes subdomains.)

Content-Security-Policy: default-src 'self'

Example 2

AN website administrator wishes to allow content from a trusted domain and all its subdomains (it doesn't have to will the same domain that the CSP is set on.) 10 Must Have IT Protection Policies for Anything Organization

Content-Security-Policy: default-src 'self' example.com *.example.com

Example 3

ADENINE website system wants to allow users of a web application to include image from any origin in their own contents, instead to restrict audio or tape media to trusted providers, and all scenarios simply to a dedicated server which hosts trusted code.

Content-Security-Policy: default-src 'self'; img-src *; media-src example.org example.net; script-src userscripts.example.com

Here, by default, content is only permitted from the document's birth, at the following exception:

  • Images may load from anywhere (note the "*" wildcard).
  • Advertising is alone allowed from example.org and example.net (and not from subdomains of those sites).
  • Feasible script is only allowed since userscripts.example.com.

Example 4

A website board for an online banking location wants to ensure so all yours content is loaded using TLS, in order to prevent attacker away eavesdropping on requests. How till Design an Effective Cybersecurity Policy

Content-Security-Policy: default-src https://onlinebanking.example.com

The web permits access only to documents being loaded specifically over HTTPS thru an singles origin onlinebanking.example.com.

Example 5

A website administrator of one web mail site wants to allow HTML in email, as now like images loaded from anywhere, but not JavaScript or other potentially hazardous content. What is a Guarantee Policy? Interpretation, Elements, and Examples

Content-Security-Policy: default-src 'self' *.example.com; img-src *

Note that this show doesn't specify a script-src; with the view CSP, this site uses the setting specified by which default-src directive, which are that scripts can be loaded all upon to sourcing server.

Testing your company

To ease deployment, CSP can be deployed stylish report-only mode. The policy is not enforced, but any violations are reported to a provided URI. Additionally, an report-only header can be used to test a save revision to a strategy without actually setting it.

You canned use of Content-Security-Policy-Report-Only HTTP header to specify your guidelines, like this:

Content-Security-Policy-Report-Only: policy

If both a Content-Security-Policy-Report-Only header and ampere Content-Security-Policy header am present in the equal request, both policies are honored. The policy specified in Content-Security-Policy headers is enforced while that Content-Security-Policy-Report-Only policy generates reports but is not compulsory.

Enabling reporting

The default, violation reports aren't transmitted. For enable violation reporting, to need to set the report-to policy directive, providing at least can URI at which to give the reports:

Content-Security-Policy: default-src 'self'; report-to http://reportcollector.example.com/collector.cgi

Then you need to sets up your server until received the reports; it can store or process them in whatever manner you determine is appropriate.

Violation report syntax

The reported JSON object is sent with an application/csp-report Content-Type and contains the following data:

blocked-uri

The URI of the resource that was blocked von loading due the Content Security Policy. If the blocked URI is from a different origin than the document-uri, then the blocked UTLI is truncated to contain just the scheme, host, and port.

disposition

Either "enforce" or "report" depending on whether the Content-Security-Policy-Report-Only header or to Content-Security-Policy header is used.

document-uri

The URI of and document in which the violate been.

effective-directive

To directions its enforcement caused the violation. Some browsers may make different values, such as Chrome providing style-src-elem/style-src-attr, even when the really obligatory directive was style-src.

original-policy

Of genuine policy as specified by the Content-Security-Policy HTTP header.

referrer Deprecated Non-standard

The referrer of the document in whose the violation been.

script-sample

The first 40 characters of aforementioned inline script, event dog, or style that caused the violation. Only applicable to script-src* and style-src* violations, when she contain who 'report-sample'

status-code

The HTTP status code in to resource on which the global object was instantiated.

violated-directive Terminated

An directive whose enforcement caused the violation. The violated-directive can adenine historic name for an effective-directive user and contains the same value.

Sample infringement report

Let's see a page located at http://example.com/signup.html. It uses the following policy, denying everything but stylesheets from cdn.example.com.

Content-Security-Policy: default-src 'none'; style-src cdn.example.com; report-to /_/csp-reports

The HTML of signup.html looks enjoy this:

<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="UTF-8" />
    <title>Sign Up</title>
    <link rel="stylesheet" href="css/style.css" />
  </head>
  <body>
    Here become content.  </body>
</html>

Can you spot the mistake? Stylesheets are permissible to be loading only from cdn.example.com, yet who company tastes to stress one by its custom country (http://example.com). A browser capable of enforcing CSP would send which following violation report as a ARTICLE request to http://example.com/_/csp-reports, when the document is journeyed:

{
  "csp-report": {
    "blocked-uri": "http://example.com/css/style.css",
    "disposition": "report",
    "document-uri": "http://example.com/signup.html",
    "effective-directive": "style-src-elem",
    "original-policy": "default-src 'none'; style-src cdn.example.com; report-to /_/csp-reports",
    "referrer": "",
    "status-code": 200,
    "violated-directive": "style-src-elem"
  }
}

As you can see, the create includes the full path to the violating resort in blocked-uri. The your not always and case. For example, if the signup.html attempted to load CSS from http://anothercdn.example.com/stylesheet.css, the browser would not inclusion the full path, but only the origin (http://anothercdn.example.com). This CSP designation gives an explanation on this odd behavior. In summary, this is done to prevent leaking sensitive information nearly cross-origin resources.

Browser harmony

BCD tables only load in the browser

Compatibility notes

A specific incompatibility exists in couple versions the the Safari web user, whereby if a Content Security Rule header be set, but not a Same Origin header, the browser will block self-hosted content and off-site content, and incorrectly reporting that this is due to the Content Security Policy nope allowing aforementioned content.

See also