Content-Security-Policy HTTP Header Braindump
April 27, 2018 #http #webdev #javascript #security
From Content Security Policy (CSP) - HTTP | MDN
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks
From Content Security Policy | Web Fundamentals | Google Developers
This overview highlights a defense that can significantly reduce the risk and impact of XSS attacks in modern browsers: Content Security Policy (CSP).
From Dev guide - Content Security Policy - Microsoft Edge Development | Microsoft Docs
The CSP security standard enables web developers to control the resources (script, CSS, plugins, images, etc.) which a particular page can fetch or execute with the aim of preventing cross-site scripting (XSS), clickjacking, and other code injection attacks seeking to execute malicious content in the context of a trusted web page.
From OWASP Top 10 - 2017 A7 Cross-Site Scripting (XSS)
Enabling a Content Security Policy (CSP) is a defense-in-depth mitigating control against XSS.
This can be controlled via the Content-Security-Policy HTTP Header. The CSP Cheat Sheet “is a concise overview of all supported features and directives” and “can be used as a quick reference guide” because of the many examples and external links. CSP is supported at various levels in all major browsers (see https://caniuse.com/#search=Content%20Security%20Policy). Twitter even sends different policies to different browsers (see secureheaders/policy_management.rb at master · twitter/secureheaders · GitHub ), but they could do even better (see Optimising Twitter’s CSP header).
Some articles for getting started:
- Google Online Security Blog: Reshaping web defenses with strict Content Security Policy
- Introduction - Content Security Policy
- My Blog Now Has a Content Security Policy - Here’s How I’ve Done It
- A proper Content Security Policy Generator | 4ARMED
- How to Get Started with a Content Security Policy
- Building a Content Security Policy configuration with CSP Auditor
- GitHub’s post-CSP journey | GitHub Engineering
- Making CSP great again! - Michele Spagnuolo and Lukas Weichselbaum // Speaker Deck
- Learning Path: Modern Web Pillars—Security [Learning Path] (Safari Online Video)
The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. Several tools leverage this browser reporting to help developers create policies:
- Fiddler: GitHub - david-risney/CSP-Fiddler-Extension: Content Security Policy rule collector extension for Fiddler
- OWASP ZAP: GitHub - GoSecure/csp-auditor: Burp and ZAP plugin to analyse Content-Security-Policy headers or generate template CSP c…
- Chrome: GitHub - 4ARMED/csp-generator-extension: Google Chrome Extension for interacting with 4ARMED’s Content Security Policy G… along with GitHub - 4ARMED/csp-backend: Sinatra app that accepts CSP violation reports and generates policies based on them.
- Report URI CSP Wizard: https://scotthelme.co.uk/report-uri-csp-wizard/
Other tools:
- Report URI: https://report-uri.com/home/tools
- Firefox: Display security and privacy policies - Firefox Developer Tools | MDN
- Google: CSP Evaluator
- GitHub - nico3333fr/CSP-useful: Collection of scripts, thoughts about CSP (Content Security Policy)
Since an invalid or incorrect policy will break the web applications, testing is important. A good strategy is to start with a basic policy (like this one which forces all content to use HTTPS) and build it out to be even more secure.
Content-Security-Policy: default-src https:; form-action https:; connect-src https: wss:; upgrade-insecure-requestsHow to implement Content Security Policy? | DareBoost Blog comments “that it is possible to use both Content-Security-Policy and Content-Security-Policy-Report-Only headers” which would allow for a basic policy to be in place and an experimental policy to be reported on, either in a lower environment or as part of a testing suite.