Content-Security-Policy Header
Table of Content
The Content-Security-Policy (CSP) HTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Response header. This added layer of security assists in detecting and mitigating certain types of attacks, like Cross Site Scripting (XSS) and data injection attacks.
Syntax
Content-Security-Policy: policy-directiveDirectives
Directives for the Content-Security-Policy header define the sources from which certain types of resources can be loaded. They include:
default-src: This directive applies to requests for which no relevant directive is defined. It acts as a fallback for these cases.script-src: This defines the locations from which scripts can be loaded.style-src: This designates the locations from which stylesheets can be loaded.image-src: This specifies the locations from which images can be loaded.
Examples
Example of a simple CSP policy might look like this:
Content-Security-Policy: default-src 'self'; img-src *; In this case, the default policy is to only allow scripts and styles var 'img-src' from the same origin as the page.
Browser Compatibility
| Browser | Compatibility |
|---|---|
| Chrome | Supported |
| Firefox | Supported |
| Safari | Supported |
| Opera | Supported |
| Edge | Supported |
How to modify Content-Security-Policy header
ModHeader is a Chrome extension that allows users to modify HTTP request and response headers. To modify the Content-Security-Policy header using ModHeader:
- Install the ModHeader extension in your google chrome.
- Click on the ModHeader icon in your browser toolbar.
- Click 'Add' to add a new response header.
- Enter 'Content-Security-Policy' in the 'Name' field and input your policy in the 'Value' field. For example, you can input
default-src 'self';to accept only the scripts from the same origin. - This setup will then apply your Content-Security-Policy every time an HTTP response is received.
ModHeader can be instrumental in testing different Content-Security-Policies in live environments, as it allows developers to modify headers on the fly without the need for server reconfiguration.