ScanGov standard

Content security policy

Controls which sites can load content.

Listen

A podcast overview of content security policy made with Google NotebookLM.

Guidance href="#guidance"

All government websites should have a content security policy.

Cybersecurity and Infrastructure Security Agency:

Implement a Content Security Policy (CSP). Website owners should also consider implementing a CSP. Implementing a CSP lessens the chances of an attacker successfully loading and running malicious JavaScript on the end user machine.

About href="#about"

Content Security Policy (CSP) is a security standard that helps protect websites from attacks like cross-site scripting (XSS) by allowing website owners to declare trusted sources of content.

CSP is delivered using HTTP headers or HTML meta tags, and uses directives like default-src, script-src, and img-src to control resource loading. CSP can enforce policies, report violations, and is not a replacement for careful input validation, but a defense-in-depth measure. Strict CSP is more secure using nonces or hashes.

Note: It’s an extra layer of protection, not the primary defense.

Code href="#code"

Example header:

Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://example.gov;
  style-src 'self' 'unsafe-inline';
  img-src 'self' https://example.gov;
  font-src 'self' https://example.gov;
  object-src 'none';
  frame-ancestors 'none';
  upgrade-insecure-requests;

Example HTML code:

<!-- Content Security Policy example using meta tag -->
<meta http-equiv="Content-Security-Policy" content="
  default-src 'self';
  script-src 'self' https://example.gov;
  style-src 'self' 'unsafe-inline';
  img-src 'self' https://example.gov;
  font-src 'self' https://example.gov;
  object-src 'none';
  frame-ancestors 'none';
  upgrade-insecure-requests;
">

Related

Topics

On this page

Contact us