HTTP - Content security policy (CSP)

1 - About

Through a HTTP header in your server’s response, you can define behaviors that are trusted in the page. CSP can be used to detect and mitigate against the effects of certain attacks, such as:

resulting from execution of malicious content in the trusted web page context

CSP is particularly powerful as it includes directives such as script-src that specifies what are valid, allowed sources for JavaScript.

3 - Implementation

3.1 - Google Publisher tag

Ref: If you have a Content Security Policy (CSP) on your site, the restrictions of the CSP also apply to AMPHTML ads in friendly iframes. In that case, call googletag.pubads().setForceSafeFrame(true) before making any ad requests, to allow the ad to render in a cross-domain iframe without the CSP's restrictions

4 - Syntax


Content-Security-Policy: <policy-directive>; <policy-directive>

  • With a few exceptions, policies mostly involve specifying server origins and script endpoints.
  • Your policy should include a default-src policy directive, which is a fallback for other resource types when they don't have policies of their own

Doc

5 - Example

5.1 - Third party script

  • Given this CSP header

Content-Security-Policy: script-src https://example.com/


<script src="https://not-example.com/js/library.js"></script>

5.2 - Block HTTP call on HTTPS page


<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content" />

5.3 - Reporting


Content-Security-Policy-Report-Only: default-src 'self' *.ezoic.net; img-src www.googletagmanager.com ; report-uri https://api.gerardnico.com/csp 

6 - Documentation / Reference


Data Science
Data Analysis
Statistics
Data Science
Linear Algebra Mathematics
Trigonometry

Powered by ComboStrap