Why There Is A Need Of Content Security Policy (CSP)?

Introduction

It’s a security that protects you against various types of attacks. Usually, there could be several
reasons behind these attacks, a few of them might include - data manipulation from website or
disturbances in malware. We already discussed in our previous articles HTTP Status Codes like 404 Page Not Found, HTTP Error 503. The service is unavailable, Status Code: 301, if you give an overview aforesaid articles before to proceed ahead, it will help you know about your application behavior.

When you will try to load anything to the page with the help of your browser, it might load so
many other things along with it. Content Security Policy is programmed in such a way that it will
perform backward compatibility. In other ways, when any system is not compatible with CSP, it
will work in a regular manner, ignoring other things.

Content- Security- Policy provides the user, hard-core security of their data from attacks of XSS
cross-site scripting. For reference, the attacks by XSS are done through a corrupted code along
with the desired content. The browsers do not recognize these codes and take it as part of the
same page.

This code injection is a highly preferred method and if the attacker is successful in code
injection, then all the website data will be exposed. We can protect our data from such types of
contagious attack, which is only possible through the use of CSP.

• Learn to know How to Prevent Direct URL Access In MVC
• Prevent Cross-Site Request Forgery using AntiForgeryToken() in MVC

How To Add CSP On Your Website?

CSP has been designed to be completely compatible to most of the browsers and those browsers that don’t support CSP still work with servers to implement CSP. To enable CSP, configure your web server to return CSP HTTP header. Otherwise, you can use <meta> element to configure policy. For example-

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">

Configuring Content Security Policy (CSP) involves putting the Content-Security-Policy HTTP header to a website page and giving it values to manage resources what user agents are allowed to load for that web page.
In a more elaborate form, let’s take an example of a web page that allow users to upload and display images which could be from anywhere. But you can restrict this form action to a specific endpoint. If you design Content Security Policy in proper way, you can protect your web page against a cross site scripting attacks.

Configuring Content Security Policy (CSP) involves putting the Content-Security-Policy HTTP header to a website page and giving it values to manage resources what user agents are allowed to load for that web page.
In a more elaborate form, let’s take an example of a web page that allow users to upload and display images which could be from anywhere. But you can restrict this form action to a specific endpoint. If you design Content Security Policy in proper way, you can protect your web page against a cross site scripting attacks.

Google Analytics - Content Security Policy Sample

<meta http-equiv="content-security-policy" content="script-src 'self' https://www.google-analytics.com; img-src https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; connect-src https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net;" />

How To Use Content-Security-Policy HTTP header For Specifying your Policy Section?

Content-Security-Policy: The policy is a string that includes the policy directives defining your Content Security Policy.

How You Can Write a Policy?

A policy is described using a series of policy directives, each of which describes the policy for a certain resource type or policy area.
Content-Security-Policy: default-src technologycrowds.com would allow resources to be uploaded from any source on my domain using any scheme or port.
Content-Security-Policy: default-src https://technologycrowds.com:108 would only allow resources to be uploaded from the single origin only, over https and on port 108.
Content-Security-Policy: default-src https://technologycrowds.com:* would only allow resources to be uploaded from your domain over https on any port. This means that scripts can be loaded only from the originating server.
Several wildcards can be used for the scheme, but only at the port and the left most part of a host name. Some other keywords that you can use together with the 'self' keyword include:

• 'none' blocks the use of this type of resource.
• 'self' matches the current origin (but not sub domains).
• 'unsafe-inline' allows the use of inline JS and CSS.
• 'unsafe-eval' allows the use of mechanisms like eval().

Examples Showing How To Use Above Keywords

Content-Security-Policy: default-src 'none'; script-src https://technologycrowds.com would not allow content to be loaded from scripts loaded apart from your domain over https.
Content-Security-Policy: default-src 'none'; script-src https://technologycrowds.com; style-src 'unsafe-inline' would allow loading content from  scripts loaded from your domain in addition to inline CSS.
Content-Security-Policy: script-src technologycrowds.com; script-src google.com would not allow any script being loaded from google.com.
Content-Security-Policy: script-src technologycrowds.com google.com. This is correct policy of the above script. There is also no inheritance from the default source directive.
Content-Security-Policy: default-src https: script-src http://technologycrowds.com would control no scripts being loaded over https from your domain technologycrowds.com.
Content-Security-Policy: default-src https:technologycrowds.com; script-src https://technologycrowds.com http://technologycrowds.com is the correct policy of the above script.

Suggested Reading

• Let's Start Scraping Websites using HTML Agility Pack
• Entity Framework Interview Questions & Answers