Content Security Policy

Content Security Policy (CSP) is an additional security layer used to protect web users from various threats such as Cross-Site Scripting (XSS), an OWASP Top 10 security risk.

By default web browsers will download, process, and execute most JavaScript and CSS resources requested by a website, which can also include malicious scripts that may have been injected via XSS or other attacks.

CSP gives us a set of directives that website administrators can apply to instruct browsers that only resources from a specific list of origins are to be trusted. Any resource that is not described on the policy is rejected.

Content Security Policy Violation Screenshot
An example of a Content Security Policy violation report collected by Flowports.

Does your website have CSP? Check it now.

A strict policy is often recommended for best protection, but it must be applied carefully. A policy that fails to specify an origin that is required for a specific part of a website or application to work will cause a detrimental experience to users.

Because policy violations happen on the client’s browser, it’s often difficult to troubleshoot.

Reporting violations

It’s recommended to add a reporting endpoint on every policy so that any violation that would only be visible on a client is also sent to the server so that it can be analyzed by web administrators.

The policy directive that enables reporting is report-uri. The following is an example of a very strict policy that uses Flowports as a report collector.

Content-Security-Policy: default-src 'self'; report-uri
We can be your report collector so you don't need to build your own. Sign up for a free trial of Flowports to get started.Try it free now!