The Content Security Policy (CSP) header is a security feature implemented by web browsers to help prevent and mitigate various types of attacks, such as cross-site scripting (XSS) and data injection attacks. It allows website owners to control which resources (e.g., scripts, stylesheets, images, fonts) can be loaded and executed by the browser, thereby reducing the risk of malicious code execution.
The CSP header is an HTTP response header that is sent from the web server to the client (usually a web browser) as part of the HTTP response. It instructs the browser on which sources are considered safe for each type of resource.
The basic structure of the CSP header looks like this:
Content-Security-Policy: directive1 value1; directive2 value2; ...
Each directive specifies a type of resource (e.g., scripts, stylesheets) and the sources from which those resources are allowed to be loaded and executed. Some common directives include:
default-src: Specifies the default sources for resources that do not have a specific directive set.
style-src: Specifies the allowed sources for CSS stylesheets.
img-src: Specifies the allowed sources for images.
font-src: Specifies the allowed sources for fonts.
media-src: Specifies the allowed sources for audio and video content.
connect-src: Specifies the allowed sources for making network requests (AJAX, WebSockets, etc.).
frame-src: Specifies the allowed sources for embedding frames and iframes.
child-src: Specifies the allowed sources for embedding child resources like frames and iframes.
For example, to allow scripts only from the same origin and from a specific trusted domain, you can use the following CSP header:
Content-Security-Policy: script-src 'self' trusted-scripts.example.com;
This will instruct the browser to execute scripts only from the same origin (the website’s own domain) and from “trusted-scripts.example.com”.
CSP can be a powerful security feature, but it requires careful configuration to avoid blocking legitimate resources on your website. Proper testing and monitoring are essential when implementing a Content Security Policy to ensure that the website functions as expected while also maintaining a strong security posture against potential attacks.