Content Security Policy (CSP)

Content Security Policy (CSP) acts as an extra layer of defence for web applications. It restricts what resources, like scripts, images, and stylesheets, can be loaded by a webpage. This helps mitigate XSS (Cross-Site Scripting) attacks and other injection vulnerabilities.

How CSP Works

CSP utilizes HTTP headers or meta tags to deliver a security policy to the browser. This policy dictates what resources are allowed to load and from where. If a resource violates the policy, the browser blocks it.

Example of a CSP

Let’s look at a basic CSP example:

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com;

In this example, we have two directives:

• default-src: This restricts resources (scripts, images, styles, etc.) to be loaded only from the same origin (the domain serving the webpage).
• script-src: This directive allows scripts to be loaded from two sources: the same origin ('self') and a specific CDN (https://cdn.example.com).

Benefits of CSP

• XSS Protection: By restricting script loading, CSP makes it difficult for attackers to inject malicious scripts into your website.
• Clickjacking Defense: CSP can help prevent clickjacking attacks by controlling the loading of frames and iframes.
• Improved Security Posture: CSP adds another layer of security to your web application, making it more resistant to attacks.