CSPF

Jan 1, 0001

Definition

CSPF stands for Content Security Policy Framework, a security standard designed to prevent a range of attacks such as Cross-Site Scripting (XSS) and data injection attacks by specifying which dynamic resources are allowed to load. It is implemented via HTTP headers or HTML <meta> tags, allowing developers to control the resources the browser is permitted to load for a given page.

Secure Settings Example

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com; object-src 'none'; style-src 'self' 'unsafe-inline'

This CSP configuration allows resources to be loaded only from the same origin or a specified trusted CDN, blocks all plugins, and permits inline styles, which should be used cautiously.

Insecure Settings Example

Content-Security-Policy: default-src *; script-src * 'unsafe-inline' 'unsafe-eval'; object-src *

This insecure configuration allows resources from any origin, permits inline scripts and eval(), and allows all plugins, significantly increasing the risk of XSS and other attacks.

CSPF

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter