What is Content Security Policy (CSP)?

CSP is a browser-native security standard developed by the W3C (World-Wide Web Consortium). It protects against client-side attacks, including cross-site scripting (XSS), protocol downgrade attacks, clickjacking, third-party JavaScript compromises (e.g. Magecart), ad injections, session redirects and content-injection attacks. CSP policies can be configured to detect or block/prevent attacks.

How does Content Security Policy (CSP) work?

CSP protects against client-side attacks by restricting the code, content and data exchange that occurs on a website or web application.

Any violation of defined policies will result in the browser preventing the offending behavior. When a user goes to a website that has implemented CSP, the browser receives CSP policies together with requested website content over normal HTTP traffic. CSP is already defined in browser code and can be interpreted by all modern PC and mobile browsers.

The CSP policy contains support for over a dozen directives such as script-src, img-src, font-src, etc.  Each policy directive allows website owners to enable website security controls, like restricting domains from which a specific resource can be loaded, domains that the browser can make connections to, domains that the browser can send information to, and asserting the integrity of executable content such as inline scripts.

Examples of Content Security Policy (CSP)

The CSP policy directive, script-src, can be used to restrict the domains that can load JavaScript onto the browser.

This is particularly useful in preventing unauthorized or malicious JavaScript from being executed, such as in Magecart attacks.  Another directive, frame-src, can be used to restrict the domains that can load iFrames onto the browser.  The form-action and connect-src directives can be used to restrict the domains that receive website-form information and restrict domains to which the user’s browser can make connections. This can help detect and block unauthorized data exfiltration attempts.

content security policy tala-1

 

CSP Reporting

CSP policies support reporting: report-uri or report-to directives that are used to instruct the browser to send violation alerts. CSP also provides alerting capability: if the policy specifies an alerting endpoint, the browser will send an alert that a violation has taken place.

 

What is a Content Security Policy (CSP) Header?

Control the resources that can load on a given web page.

The Content Security Policy header helps reduce the risk of XSS by allowing you to restrict how dynamic resources such as JavaScript or CSS are allowed to load. It can also protect against other forms of attack, such as click-jacking.

To enable CSP, you need to configure the browser to return the Content-Security-Policy HTTP header, giving it the values to control what resources are allowed for a web page. The CSP header allows you to define the security policy that controls the content on your web page.

content-security-policy-csp-tala

CSP Typical Use Cases

Common ways CSP is used:

  • Setting policies to prevent user-supplied content from injecting malicious content (such as JavaScript) into web applications.
  • Setting policies for web applications that prevent users from loading content insecurely, even if the application is telling them to do so.
  • Setting policies to prevent trusted third parties loading content from untrusted fourth/fifth parties
  • Preventing web applications from being framed by other web applications.

CSP Automation via Tala’s Web Application Runtime Protection

Control Risk. Manage Trust.

Implementing CSP manually can be administratively complex and time consuming for security teams. In addition, since websites operate dynamically and are upgraded regularly, this requires continuous adjustment to CSP. Errors in CSP could end up breaking the website and poorly written policies do not offer much security benefit. Although CSP provides valuable insight into website attacks and behaviors, its alert volume can quickly overwhelm security teams.

Tala completely automates the process of policy generation, updating and implementation, alert analytics and incident management. With Tala, a website can be up and running with a CSP in minutes. Website attacks are prevented in real time, website performance is preserved and the need for costly and continuous administration, remediation or incident response is minimized.

protect against magecart

Is your website secure?

Request a free website analysis to find out.