Everything you need to know about CSP Header 🔬

What is a CSP ?

• CSP stands for Content Security Policy which is a mechanism to define which resources can be fetched out or executed by a web page.
  
• In other words, it can be understood as a policy that decides which scripts, images, iframes can be called or executed on a particular page from different locations.
   

Why it is used?

• Content Security Policy is widely used to secure web applications against content injection like cross-site scripting attacks.
  
• Also by using CSP the server can specify which protocols are allowed to be used.
   

How Does it work?

• CSP works by restricting the origins that active and passive content can be loaded from.
  
• From there, it’s browser’s call to follow that policy and actively block violations as they are detected.
   

Common CSP directives:

Common CSP sources:

An Example:

Content-Security-Policy: default-src 'self'; script-src https://bhaveshthakur.com; report-uri /Report-parsing-url;

• <img src=image.jpg> --> This image will be allowed as image is loading from same domain i.e. bhaveshthakur.com
• <script src=script.js> --> This script will be allowed as the script is loading from the same domain i.e. bhaveshthakur.com
• <script src=https://evil.com/script.js> --> This script will not-allowed as the script is trying to load from undefined domain i.e. evil.com
• "/><script>alert(1337)</script> --> This will not-allowed on the page.
   

Automatic Analysis

There are few online tools that are very helpful.

• withgoogle
• cspvalidator
• 
   

Credit

Based on Bhavesh Thakur's writeup.
 

Support

You can Follow me on twitter or buy me a Coffee