Advertisement

Facebook

What is CSP (Content Security Policy)?

Mahesh Makwana March 21, 2025
What is CSP (Content Security Policy)?

Website security is more important than ever, with cyber threats like Cross-Site Scripting (XSS), clickjacking, and data injection becoming common. A great way to protect your website is by using Content Security Policy (CSP).

CSP acts like a security guard for your website, controlling what content can be loaded and executed. In this blog, we’ll break it down in simple words so you can understand, implement, and benefit from it.

CSP is a security feature that helps prevent malicious code from running on your website. It works by setting rules that tell the browser which resources (scripts, images, styles, etc.) are allowed and which are blocked.

Why is CSP Important?

  • Prevents XSS Attacks – Stops hackers from injecting harmful scripts.
  • Protects User Data – Keeps sensitive information secure.
  • Reduces Clickjacking Risks – Blocks unauthorized iframes.
  • Boosts Website Security – Adds an extra layer of protection.

How to Add CSP to Your Website

You can add CSP in two ways:

1. Using HTTP Headers (Recommended)

If you have access to your server, add this header to your response:

Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.example.com

This means:

  • By default, content can only load from the same domain ('self').
  • JavaScript is only allowed from the same domain and https://apis.example.com.

2. Using an HTML Meta Tag

If you can’t modify server headers, add this inside the <head> of your HTML:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://apis.example.com;">

CSP Directives

Directives control what kind of content can be loaded and from where. Let’s break them down:

1. default-src

Acts as a fallback for all other resource types if a more specific rule isn’t defined.

default-src 'self'

This means only content from the same origin is allowed.

2. script-src

Controls JavaScript sources.

script-src 'self' https://apis.example.com

3. style-src

Controls stylesheets and inline styles.

style-src 'self' 'unsafe-inline'

4. img-src

Controls the sources of images.

img-src 'self' https://cdn.example.com

5. font-src

Controls font loading.

font-src 'self' https://fonts.example.com

6. connect-src

Controls AJAX, WebSockets, and API requests.

connect-src 'self' https://api.example.com

7. frame-ancestors

Controls if the page can be embedded into iframes.

frame-ancestors 'none'

8. object-src

Controls plugins like Flash (deprecated), or <object>, <embed>, <applet>.

object-src 'none'

9. report-uri (or report-to)

Allows reporting CSP violations to a specified endpoint.

report-uri/csp-violation-report

Sources in CSP

You specify trusted sources using these keywords:

  • 'self' — Allows loading from the same origin.
  • 'none' — Blocks everything.
  • 'unsafe-inline' — Allows inline JavaScript or CSS (not recommended for security reasons).
  • 'unsafe-eval' — Allows the use of eval() in JavaScript (also risky).
  • https://example.com — Allows content only from this specific domain.
  • * — Allows any source (dangerous — avoid).

Example CSP Rule

This policy:

  • Allows scripts from the same site and apis.example.com.
  • Allows styles but also allows inline styles ('unsafe-inline').
  • Blocks iframes (frame-ancestors 'none').
  • Reports violations to /csp-report.

Best Practices

  1. Avoid 'unsafe-inline' and 'unsafe-eval' unless absolutely necessary.
  2. Use Nonces and Hashes for inline scripts and styles: 
    Content-Security-Policy: script-src 'nonce-abc123'
    Then apply the nonce in the script tag: 
    <script nonce="abc123">console.log('Hello, CSP!');</script>
  3. Use a Report-Only Mode for testing: 
    Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; report-uri /csp-violation-report
  4. Restrict Third-Party Resources — Only allow necessary domains.

Testing and Troubleshooting CSP

  1. Browser DevTools: Open your browser’s developer tools (F12 or right-click → Inspect), go to the Console, and check for CSP errors.
  2. CSP Validator: Use tools like CSP Evaluator by Google to test your policy.
  3. Report Violations: Implement a violation reporting endpoint to monitor issues: 
    report-uri /csp-violation-report
  4. Common Errors:
    • Blocked inline scripts: Add nonce or avoid inline scripts.
    • Third-party scripts blocked: Explicitly add the domain in script-src.

Benefits of CSP

  • Prevents unauthorized script execution.
  • Protects sensitive user data.
  • Mitigates attacks like XSS and clickjacking.
  • Improves overall website security.

Conclusion

Implementing Content Security Policy (CSP) is an essential step in securing your website against modern cyber threats. By defining what content can and cannot be loaded, you prevent hackers from injecting malicious scripts and improve overall site security.

Secure your website today with CSP! Need help setting it up? Let us know in the comments!

Tags
Knowledge
Makwana Mahesh

Posted by Makwana Mahesh

Post a Comment

0 Comments

Post a Comment
Buy Me A Coffee