CSP protects against client-side attacks by restricting the code, content and data exchange that occurs on a website or web application.
Any violation of defined policies will result in the browser preventing the offending behavior. When a user goes to a website that has implemented CSP, the browser receives CSP policies together with requested website content over normal HTTP traffic. CSP is already defined in browser code and can be interpreted by all modern PC and mobile browsers.
The CSP policy contains support for over a dozen directives such as script-src, img-src, font-src, etc. Each policy directive allows website owners to enable website security controls, like restricting domains from which a specific resource can be loaded, domains that the browser can make connections to, domains that the browser can send information to, and asserting the integrity of executable content such as inline scripts.
CSP policies support reporting: report-uri or report-to directives that are used to instruct the browser to send violation alerts. CSP also provides alerting capability: if the policy specifies an alerting endpoint, the browser will send an alert that a violation has taken place.
Control the resources that can load on a given web page.
To enable CSP, you need to configure the browser to return the Content-Security-Policy HTTP header, giving it the values to control what resources are allowed for a web page. The CSP header allows you to define the security policy that controls the content on your web page.
Common ways CSP is used:
Control Risk. Manage Trust.
Implementing CSP manually can be administratively complex and time consuming for security teams. In addition, since websites operate dynamically and are upgraded regularly, this requires continuous adjustment to CSP. Errors in CSP could end up breaking the website and poorly written policies do not offer much security benefit. Although CSP provides valuable insight into website attacks and behaviors, its alert volume can quickly overwhelm security teams.
Tala completely automates the process of policy generation, updating and implementation, alert analytics and incident management. With Tala, a website can be up and running with a CSP in minutes. Website attacks are prevented in real time, website performance is preserved and the need for costly and continuous administration, remediation or incident response is minimized.
Request a free website analysis to find out.