Content security policy

About

Content Security Policy (CSP) is a security feature that:

• Protects websites from attacks like XSS and clickjacking.
• Defines rules for safe content (e.g., JavaScript, CSS, images).

Key point:

It’s an extra layer of protection, not the primary defense.

Guidance

Cybersecurity and Infrastructure Security Agency:

Implement a Content Security Policy (CSP). Website owners should also consider implementing a CSP. Implementing a CSP lessens the chances of an attacker successfully loading and running malicious JavaScript on the end user machine.

Code

Example header:

Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://example.gov;
  style-src 'self' 'unsafe-inline';
  img-src 'self' https://example.gov;
  font-src 'self' https://example.gov;
  object-src 'none';
  frame-ancestors 'none';
  upgrade-insecure-requests;

Example HTML code:

<!-- Content Security Policy example using meta tag -->
<meta http-equiv="Content-Security-Policy" content="
  default-src 'self';
  script-src 'self' https://example.gov;
  style-src 'self' 'unsafe-inline';
  img-src 'self' https://example.gov;
  font-src 'self' https://example.gov;
  object-src 'none';
  frame-ancestors 'none';
  upgrade-insecure-requests;
">

Links

• Content Security Policy (18F)
• Reining in the Web with Content Security Policy (Mozilla)
• Content Security Policy (Mozilla)
• Content Security Policy Level 3 (W3C)
• Content Security Policy (Wikipedia)
• Content Security Policy Cheat Sheet (OWASP)