Content Security Policy

Content Security Policy (CSP) is a security feature that helps prevent various attacks, such as Cross-Site Scripting (XSS) and data injection attacks. It allows web developers to control the resources (scripts, styles, images, etc.) a webpage can load and execute. CSP is implemented using the Content-Security-Policy HTTP header.

Key Directives

default-src: Specifies the default policy for loading content such as JavaScript, images, CSS, fonts, AJAX requests, frames, HTML5 media, and Web Workers.
script-src: Controls from where the scripts can be loaded. This helps mitigate XSS attacks.
style-src: Controls from where the stylesheets can be loaded.
img-src: Controls from where the images can be loaded.
connect-src: Controls from where the application can fetch (via XHR, WebSockets, and EventSource).
font-src: Controls from where the fonts can be loaded.
object-src: Controls from where object, embed, and applet tags can load resources.
media-src: Controls from where the media files (audio and video) can be loaded.
frame-src: Controls from where the frames can be loaded.

Example CSP Header

Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.example.com; style-src 'self' https://cdn.example.com;

This example policy only allows content to be loaded from the same origin ('self') and explicitly allows scripts from https://apis.example.com and styles from https://cdn.example.com.

Edge Cases in CSP

Inline Scripts and Styles:
- Inline scripts and styles are blocked by default under CSP unless allowed using 'unsafe-inline'. Allowing 'unsafe-inline' negates much of the benefit of CSP as it reintroduces the risk of XSS.
- Mitigation: Use nonces or hashes to allow specific inline scripts or styles.
Third-Party Content:
- Allowing third-party content can reintroduce vulnerabilities if the third-party source is compromised.
- Mitigation: Limit third-party content and use Subresource Integrity (SRI) to ensure the integrity of resources.
Dynamic Content:
- Applications that generate dynamic content need to carefully manage CSP to avoid inadvertently blocking legitimate content or allowing malicious content.
- Mitigation: Use nonce-based or hash-based CSP for dynamic scripts and styles.
Compatibility Issues:
- Older browsers may not support CSP, or may have partial support, leading to inconsistent behavior.
- Mitigation: Implement feature detection and provide fallbacks where necessary.
Reporting:
- CSP can include a reporting mechanism via the report-uri or report-to directive to send violation reports.
- Edge Case: High volume of violation reports can lead to performance issues.
- Mitigation: Monitor and handle reports effectively, ensuring they do not overwhelm the server.
Strict CSP Blocking Legitimate Content:
- A very strict CSP might block legitimate resources necessary for the application to function correctly.
- Mitigation: Gradually tighten CSP policies, starting with a more permissive policy and iterating based on the reports received.
Service Workers:
- Service Workers operate independently of the CSP, potentially leading to unexpected behavior.
- Mitigation: Ensure CSP policies are correctly applied to Service Workers and other independent scripts.

Best Practices for Implementing CSP

Start with a report-only mode: Use Content-Security-Policy-Report-Only to gather data on what resources are being blocked without affecting the user experience.
Use nonces or hashes: Instead of 'unsafe-inline', use nonces (nonce-value) or hashes ('sha256-...') to allow specific inline scripts and styles.
Regularly review and update policies: CSP should be reviewed and updated regularly to adapt to changes in the application and new security threats.
Integrate CSP into development: Ensure CSP is considered from the early stages of development to avoid conflicts and issues during deployment.

By carefully designing and implementing a robust CSP, web developers can significantly enhance the security posture of their web applications.

How CSP Protects from Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is a type of security vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users. CSP mitigates XSS by restricting the sources from which content can be loaded and executed, thus preventing the injection and execution of unauthorized scripts.

Mechanisms of CSP in Preventing XSS:

Restricting Script Sources:
- CSP directives like script-src allow developers to specify trusted sources from which scripts can be loaded. This prevents scripts from untrusted sources from being executed.
Blocking Inline Scripts:
- By default, CSP blocks the execution of inline scripts (e.g., <script> tags with embedded code) unless explicitly allowed using 'unsafe-inline'. This is crucial because many XSS attacks rely on injecting inline scripts.
Nonce-Based and Hash-Based Policies:
- CSP allows the use of nonces (randomly generated numbers) and hashes to permit specific inline scripts. This ensures that only scripts with the correct nonce or hash can be executed, even if they are inline.
Disallowing eval() and Similar Functions:
- CSP can block the use of JavaScript functions like eval(), setTimeout(string), setInterval(string), and new Function(), which are often used to execute malicious scripts.

Example of CSP Mitigating XSS

Let's consider a scenario where a website is vulnerable to an XSS attack due to improper input sanitization.

Scenario: A comment section on a website does not sanitize user inputs properly, allowing an attacker to inject a script.

Without CSP

If CSP is not implemented, an attacker might submit a comment like this:

<script>alert('XSS Attack');</script>

The script will execute when other users visit the comment section, displaying an alert box.

With CSP

Implementing CSP can prevent this attack. Here’s an example of a CSP header that could protect against such an XSS attack:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com; object-src 'none'; frame-ancestors 'none';

Explanation:

default-src 'self': Allows resources to be loaded only from the same origin.
script-src 'self' https://trusted.cdn.com: Only allows scripts to be loaded from the same origin and a trusted CDN.
object-src 'none': Prevents the use of <object>, <embed>, and <applet> tags, which can be used for XSS attacks.
frame-ancestors 'none': Prevents the page from being framed, protecting against clickjacking attacks.

Impact:

Blocking Inline Scripts:
- The injected script <script>alert('XSS Attack');</script> will be blocked because inline scripts are not allowed unless they have a valid nonce or hash.
Restricting External Scripts:
- Any script not from self or https://trusted.cdn.com will be blocked. Thus, even if an attacker manages to include an external script source, it will not be executed.

Example with Nonce: To allow specific inline scripts, a nonce can be used. The CSP header would look like this:

httpCopy codeContent-Security-Policy: default-src 'self'; script-src 'self' 'nonce-<random_value>'; object-src 'none'; frame-ancestors 'none';

And the inline script tag would need to include the nonce:

<script nonce="<random_value>">alert('Safe script');</script>

This way, only the inline scripts with the correct nonce will be executed, preventing malicious scripts from running.

Summary

By using CSP, developers can effectively mitigate XSS attacks by:

Restricting the sources from which scripts can be loaded.
Blocking the execution of inline scripts unless they have the correct nonce or hash.
Preventing the use of potentially dangerous functions like eval().
Disallowing the use of objects and frames that can be vectors for XSS attacks.

Implementing CSP is a powerful measure in enhancing the security of web applications against XSS and other types of attacks.

Best Practices for Using Content Security Policy (CSP)

Implementing Content Security Policy (CSP) effectively requires careful planning and consideration of the web application's needs and potential security risks. Here are some best practices for using CSP:

Start with Report-Only Mode:
- Purpose: Allows you to monitor the policy's impact without enforcing it, helping to identify potential issues.
- Implementation:
  Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://trusted.cdn.com; report-uri /csp-report-endpoint;
- Action: Collect and review violation reports to adjust the policy before enforcing it.

Define a Comprehensive Policy:

Coverage: Include directives for all types of resources (scripts, styles, images, fonts, etc.).

Example:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com; style-src 'self' https://trusted.cdn.com; img-src 'self' data:; font-src 'self' https://fonts.example.com; object-src 'none'; connect-src 'self'; frame-ancestors 'none';

Use Nonces or Hashes for Inline Content:

Purpose: Allows specific inline scripts or styles while blocking others.

Implementation:

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-randomValue'; style-src 'self' 'nonce-randomValue';

Example:

<script nonce="randomValue">/* Inline script content */</script>

Avoid unsafe-inline and unsafe-eval:
- Reason: These values allow the execution of inline scripts and the use of eval() functions, which can be exploited.
- Alternatives: Use nonces or hashes to allow necessary inline scripts and styles.
Limit Third-Party Content:
- Risk: Third-party content can introduce vulnerabilities if compromised.
- Implementation: Whitelist only trusted sources and use Subresource Integrity (SRI) to ensure resource integrity.
- Example:
  <script src="https://trusted.cdn.com/script.js" integrity="sha384-abc123"></script>
Use CSP Level 3 Features:
- Features: CSP Level 3 includes nonces, hashes, and new directives for more granular control.
- Example:
  Content-Security-Policy: script-src 'self' 'nonce-randomValue' 'strict-dynamic'; object-src 'none'; base-uri 'self';
Regularly Review and Update CSP:
- Reason: As your web application evolves, new resources may need to be allowed or existing ones restricted.
- Action: Monitor reports, conduct security reviews, and update CSP policies accordingly.
Monitor and Respond to Violation Reports:
- Purpose: Detect and respond to potential security issues.
- Implementation:
  Content-Security-Policy: default-src 'self'; report-uri /csp-report-endpoint;
Integrate CSP into Development and Deployment Processes:
- Practice: Make CSP a part of the CI/CD pipeline to ensure policies are tested and deployed consistently.
- Action: Automate CSP testing and reporting during development and staging.
Educate Development Teams:
- Reason: Developers need to understand CSP to effectively implement and maintain it.
- Action: Provide training and resources on CSP best practices and common pitfalls.

Example of a Comprehensive CSP Header

Content-Security-Policy: 
  default-src 'self'; 
  script-src 'self' 'nonce-randomValue' https://apis.trusted.com; 
  style-src 'self' 'nonce-randomValue' https://cdn.trusted.com; 
  img-src 'self' data:; 
  font-src 'self' https://fonts.trusted.com; 
  connect-src 'self' https://api.trusted.com; 
  object-src 'none'; 
  media-src 'self'; 
  frame-ancestors 'none'; 
  base-uri 'self'; 
  form-action 'self'; 
  report-uri /csp-report-endpoint;

Summary

By following these best practices, you can implement an effective CSP that significantly enhances your web application's security against XSS and other types of attacks. Regular monitoring, updating, and educating your development team are crucial for maintaining a robust CSP implementation.

PreviousSecurity Headers NextSame Origin Policy

Last updated 9 months ago

Was this helpful?

Content Security Policy

Key Directives

default-src: Specifies the default policy for loading content such as JavaScript, images, CSS, fonts, AJAX requests, frames, HTML5 media, and Web Workers.
script-src: Controls from where the scripts can be loaded. This helps mitigate XSS attacks.
style-src: Controls from where the stylesheets can be loaded.
img-src: Controls from where the images can be loaded.
connect-src: Controls from where the application can fetch (via XHR, WebSockets, and EventSource).
font-src: Controls from where the fonts can be loaded.
object-src: Controls from where object, embed, and applet tags can load resources.
media-src: Controls from where the media files (audio and video) can be loaded.
frame-src: Controls from where the frames can be loaded.

Example CSP Header

Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.example.com; style-src 'self' https://cdn.example.com;

This example policy only allows content to be loaded from the same origin ('self') and explicitly allows scripts from https://apis.example.com and styles from https://cdn.example.com.

Edge Cases in CSP

Inline Scripts and Styles:
- Inline scripts and styles are blocked by default under CSP unless allowed using 'unsafe-inline'. Allowing 'unsafe-inline' negates much of the benefit of CSP as it reintroduces the risk of XSS.
- Mitigation: Use nonces or hashes to allow specific inline scripts or styles.
Third-Party Content:
- Allowing third-party content can reintroduce vulnerabilities if the third-party source is compromised.
- Mitigation: Limit third-party content and use Subresource Integrity (SRI) to ensure the integrity of resources.
Dynamic Content:
- Applications that generate dynamic content need to carefully manage CSP to avoid inadvertently blocking legitimate content or allowing malicious content.
- Mitigation: Use nonce-based or hash-based CSP for dynamic scripts and styles.
Compatibility Issues:
- Older browsers may not support CSP, or may have partial support, leading to inconsistent behavior.
- Mitigation: Implement feature detection and provide fallbacks where necessary.
Reporting:
- CSP can include a reporting mechanism via the report-uri or report-to directive to send violation reports.
- Edge Case: High volume of violation reports can lead to performance issues.
- Mitigation: Monitor and handle reports effectively, ensuring they do not overwhelm the server.
Strict CSP Blocking Legitimate Content:
- A very strict CSP might block legitimate resources necessary for the application to function correctly.
- Mitigation: Gradually tighten CSP policies, starting with a more permissive policy and iterating based on the reports received.
Service Workers:
- Service Workers operate independently of the CSP, potentially leading to unexpected behavior.
- Mitigation: Ensure CSP policies are correctly applied to Service Workers and other independent scripts.

Best Practices for Implementing CSP

Start with a report-only mode: Use Content-Security-Policy-Report-Only to gather data on what resources are being blocked without affecting the user experience.
Use nonces or hashes: Instead of 'unsafe-inline', use nonces (nonce-value) or hashes ('sha256-...') to allow specific inline scripts and styles.
Regularly review and update policies: CSP should be reviewed and updated regularly to adapt to changes in the application and new security threats.
Integrate CSP into development: Ensure CSP is considered from the early stages of development to avoid conflicts and issues during deployment.

By carefully designing and implementing a robust CSP, web developers can significantly enhance the security posture of their web applications.

How CSP Protects from Cross-Site Scripting (XSS)

Mechanisms of CSP in Preventing XSS:

Restricting Script Sources:
- CSP directives like script-src allow developers to specify trusted sources from which scripts can be loaded. This prevents scripts from untrusted sources from being executed.
Blocking Inline Scripts:
- By default, CSP blocks the execution of inline scripts (e.g., <script> tags with embedded code) unless explicitly allowed using 'unsafe-inline'. This is crucial because many XSS attacks rely on injecting inline scripts.
Nonce-Based and Hash-Based Policies:
- CSP allows the use of nonces (randomly generated numbers) and hashes to permit specific inline scripts. This ensures that only scripts with the correct nonce or hash can be executed, even if they are inline.
Disallowing eval() and Similar Functions:
- CSP can block the use of JavaScript functions like eval(), setTimeout(string), setInterval(string), and new Function(), which are often used to execute malicious scripts.

Example of CSP Mitigating XSS

Let's consider a scenario where a website is vulnerable to an XSS attack due to improper input sanitization.

Scenario: A comment section on a website does not sanitize user inputs properly, allowing an attacker to inject a script.

Without CSP

If CSP is not implemented, an attacker might submit a comment like this:

<script>alert('XSS Attack');</script>

The script will execute when other users visit the comment section, displaying an alert box.

With CSP

Implementing CSP can prevent this attack. Here’s an example of a CSP header that could protect against such an XSS attack:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com; object-src 'none'; frame-ancestors 'none';

Explanation:

default-src 'self': Allows resources to be loaded only from the same origin.
script-src 'self' https://trusted.cdn.com: Only allows scripts to be loaded from the same origin and a trusted CDN.
object-src 'none': Prevents the use of <object>, <embed>, and <applet> tags, which can be used for XSS attacks.
frame-ancestors 'none': Prevents the page from being framed, protecting against clickjacking attacks.

Impact:

Blocking Inline Scripts:
- The injected script <script>alert('XSS Attack');</script> will be blocked because inline scripts are not allowed unless they have a valid nonce or hash.
Restricting External Scripts:
- Any script not from self or https://trusted.cdn.com will be blocked. Thus, even if an attacker manages to include an external script source, it will not be executed.

Example with Nonce: To allow specific inline scripts, a nonce can be used. The CSP header would look like this:

httpCopy codeContent-Security-Policy: default-src 'self'; script-src 'self' 'nonce-<random_value>'; object-src 'none'; frame-ancestors 'none';

And the inline script tag would need to include the nonce:

<script nonce="<random_value>">alert('Safe script');</script>

This way, only the inline scripts with the correct nonce will be executed, preventing malicious scripts from running.

Summary

By using CSP, developers can effectively mitigate XSS attacks by:

Restricting the sources from which scripts can be loaded.
Blocking the execution of inline scripts unless they have the correct nonce or hash.
Preventing the use of potentially dangerous functions like eval().
Disallowing the use of objects and frames that can be vectors for XSS attacks.

Implementing CSP is a powerful measure in enhancing the security of web applications against XSS and other types of attacks.

Best Practices for Using Content Security Policy (CSP)

Start with Report-Only Mode:
- Purpose: Allows you to monitor the policy's impact without enforcing it, helping to identify potential issues.
- Implementation:
  Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://trusted.cdn.com; report-uri /csp-report-endpoint;
- Action: Collect and review violation reports to adjust the policy before enforcing it.

Define a Comprehensive Policy:

Coverage: Include directives for all types of resources (scripts, styles, images, fonts, etc.).

Example:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com; style-src 'self' https://trusted.cdn.com; img-src 'self' data:; font-src 'self' https://fonts.example.com; object-src 'none'; connect-src 'self'; frame-ancestors 'none';

Use Nonces or Hashes for Inline Content:

Purpose: Allows specific inline scripts or styles while blocking others.

Implementation:

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-randomValue'; style-src 'self' 'nonce-randomValue';

Example:

<script nonce="randomValue">/* Inline script content */</script>

Avoid unsafe-inline and unsafe-eval:
- Reason: These values allow the execution of inline scripts and the use of eval() functions, which can be exploited.
- Alternatives: Use nonces or hashes to allow necessary inline scripts and styles.
Limit Third-Party Content:
- Risk: Third-party content can introduce vulnerabilities if compromised.
- Implementation: Whitelist only trusted sources and use Subresource Integrity (SRI) to ensure resource integrity.
- Example:
  <script src="https://trusted.cdn.com/script.js" integrity="sha384-abc123"></script>
Use CSP Level 3 Features:
- Features: CSP Level 3 includes nonces, hashes, and new directives for more granular control.
- Example:
  Content-Security-Policy: script-src 'self' 'nonce-randomValue' 'strict-dynamic'; object-src 'none'; base-uri 'self';
Regularly Review and Update CSP:
- Reason: As your web application evolves, new resources may need to be allowed or existing ones restricted.
- Action: Monitor reports, conduct security reviews, and update CSP policies accordingly.
Monitor and Respond to Violation Reports:
- Purpose: Detect and respond to potential security issues.
- Implementation:
  Content-Security-Policy: default-src 'self'; report-uri /csp-report-endpoint;
Integrate CSP into Development and Deployment Processes:
- Practice: Make CSP a part of the CI/CD pipeline to ensure policies are tested and deployed consistently.
- Action: Automate CSP testing and reporting during development and staging.
Educate Development Teams:
- Reason: Developers need to understand CSP to effectively implement and maintain it.
- Action: Provide training and resources on CSP best practices and common pitfalls.

Example of a Comprehensive CSP Header

Content-Security-Policy: 
  default-src 'self'; 
  script-src 'self' 'nonce-randomValue' https://apis.trusted.com; 
  style-src 'self' 'nonce-randomValue' https://cdn.trusted.com; 
  img-src 'self' data:; 
  font-src 'self' https://fonts.trusted.com; 
  connect-src 'self' https://api.trusted.com; 
  object-src 'none'; 
  media-src 'self'; 
  frame-ancestors 'none'; 
  base-uri 'self'; 
  form-action 'self'; 
  report-uri /csp-report-endpoint;

Summary

PreviousSecurity Headers NextSame Origin Policy

Last updated 9 months ago

Was this helpful?