Content Security Policy
Content Security Policy (CSP) is an additional security layer used to protect web users from various threats such as Cross-Site Scripting (XSS), an OWASP Top 10 security risk.
CSP gives us a set of directives that website administrators can apply to instruct browsers that only resources from a specific list of origins are to be trusted. Any resource that is not described on the policy is rejected.
Does your website have CSP? Check it now.
A strict policy is often recommended for best protection, but it must be applied carefully. A policy that fails to specify an origin that is required for a specific part of a website or application to work will cause a detrimental experience to users.
Because policy violations happen on the client’s browser, it’s often difficult to troubleshoot.
It’s recommended to add a reporting endpoint on every policy so that any violation that would only be visible on a client is also sent to the server so that it can be analyzed by web administrators.
The policy directive that enables reporting is
report-uri. The following is an example of a very strict policy that uses Flowports as a report collector.
Content-Security-Policy: default-src 'self'; report-uri https://yoursite.ingest.flowports.com/report