CSP

Definition

CSP, or Content Security Policy, is a security standard introduced to prevent a variety of attacks such as Cross-Site Scripting (XSS) and data injection attacks by specifying which dynamic resources are allowed to load on a web page. It is implemented via HTTP headers or HTML meta tags, allowing developers to control resources like scripts, styles, and other content types that the browser can execute or render.

Secure Settings Example

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;

This policy restricts all content to the same origin by default, allows scripts from the same origin and a trusted CDN, disallows all plugins, allows inline styles, and permits images from the same origin and data URIs.

Insecure Settings Example

Content-Security-Policy: default-src *; script-src * 'unsafe-inline' 'unsafe-eval'; object-src *; style-src *;

This policy is insecure because it allows content from any source, including potentially malicious ones, permits inline scripts and styles, and allows the execution of unsafe script evaluations, which can lead to XSS attacks.