1. Home
  2. Security Hardening
  3. Headers
  4. Security Headers – Content Security Policy (CSP)

Security Headers – Content Security Policy (CSP)

Content Security Policy (CSP) is a web security standard that helps protect websites against various types of attacks, such as Cross-Site Scripting (XSS) and data injection.

CSP enables website administrators to define and enforce a set of rules specifying which resources (e.g., scripts, stylesheets, images) can be loaded and executed by a web page. This enhances the security of web applications by reducing the risk of code injection and other malicious activities.

How CSP Works

Content Security Policy (CSP) protects websites by defining and enforcing a set of rules regarding the sources from which various types of content can be loaded and executed.

Here’s how CSP works:

Defining a Security PolicyWebsite administrators configure a Content Security Policy by including a Content-Security-Policy header in the HTTP response sent by the web server. This header contains directives and source expressions that define the allowed sources for different types of resources.
Limiting Script ExecutionThe script-src directive is crucial for controlling the execution of JavaScript. By specifying allowed sources, administrators can prevent the execution of scripts from unauthorized or potentially malicious locations.
Controlling Stylesheets and ImagesSimilar to scripts, the style-src and img-src directives control the sources from which stylesheets and images can be loaded.
Preventing Inline Scripts and StylesCSP allows administrators to minimize the risk of inline code injection by disallowing the use of 'unsafe-inline'.
Mitigating Data InjectionThe data: source expression in img-src allows data URIs, but other directives can restrict data injection vectors.
Handling Network RequestsThe connect-src directive controls the sources to which the browser can make network requests, helping prevent malicious communication with unauthorized servers.
Blocking Untrusted SourcesWhen a web page attempts to load content or execute scripts from a source not explicitly allowed by the CSP policy, the browser blocks these requests and executions, preventing potential security risks.
Reporting ViolationsAdministrators can include a report-uri or report-to directive in the CSP header to receive reports on policy violations. This helps in identifying and addressing security issues.
Dynamic Policy UpdatesCSP allows for dynamic policy updates using the Content-Security-Policy-Report-Only header. This allows administrators to test and monitor policy changes without enforcing them immediately.
Enforcing Least PrivilegeBy explicitly specifying the allowed sources, CSP follows the principle of least privilege, limiting the attack surface and reducing the impact of potential security vulnerabilities.

Anatomy of the CSP Header

The Content Security Policy (CSP) header has a specific syntax, here are the basic elements:

Content-Security-Policy: directive1 value1; directive2 value2;

Here is what each part means:

DirectiveDescriptionExample
default-srcSpecifies the default source for content that doesn’t have a specific directive. It acts as a fallback.default-src ‘self’ example.com;
script-srcSpecifies the allowed sources for JavaScript.script-src ‘self’ example.com;
style-srcSpecifies the allowed sources for stylesheets.style-src ‘self’ example.com;
img-srcSpecifies the allowed sources for images.img-src ‘self’ data:;
connect-srcSpecifies the allowed sources for network requests (e.g., AJAX, WebSocket).connect-src ‘self’ api.example.com;
font-srcSpecifies the allowed sources for fonts.font-src ‘self’ fonts.gstatic.com;

Source Expression Options

Sources can be specified using various expressions:

ExpressionDescription
selfAllows resources from the same origin.
unsafe-inlineAllows inline scripts/styles (not recommended for security).
unsafe-evalAllows the use of eval() and similar functions (not recommended for security).
dataAllows data URIs.

Example CSP Configurations

Basic CSP Header

Here’s an example CSP header that allows scripts and styles only from the same origin and images from the same origin and data URIs:

Content-Security-Policy: script-src 'self'; style-src 'self'; img-src 'self' data:;

CSP Header Reporting Violations

Administrators can include a report-uri or report-to directive in the CSP header to receive reports on policy violations.

Content-Security-Policy: script-src 'self'; report-uri /csp-report-endpoint/;

Allowing Specific Domains for Scripts and Styles

This example allows scripts from 'self', example.com, and cdn.example.com, and styles from 'self' and fonts.googleapis.com.

Content-Security-Policy: script-src 'self' example.com cdn.example.com; style-src 'self' fonts.googleapis.com;

Allowing Data URIs for Images

This example allows images from the same origin and data URIs.

Content-Security-Policy: img-src 'self' data:;

Restricting Inline Scripts and Styles

This example restricts the use of inline scripts and styles.

Content-Security-Policy: script-src 'self'; style-src 'self';

Allowing Connections to Specific Domains

This example allows connections (e.g., AJAX requests) to the same origin and api.example.com.

Content-Security-Policy: connect-src 'self' api.example.com;

Enforcing HTTPS with HSTS

Combining Content Security Policy with HTTP Strict Transport Security (HSTS) to enforce the use of HTTPS.

Content-Security-Policy: default-src 'self'; upgrade-insecure-requests;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Testing and Reporting Only

Using the Content-Security-Policy-Report-Only header for testing policy changes without enforcing them.

Content-Security-Policy-Report-Only: script-src 'self'; report-uri /csp-report-endpoint/;

Allowing Frames from Specific Domains

This example allows the web page to be embedded in frames on the same origin and trusted-site.com.

Content-Security-Policy: frame-ancestors 'self' trusted-site.com;
Updated on December 13, 2023
Was this article helpful?

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Email: support@noc.org