Improving Web Security with the Content Security Policy
Feb 20, 2025 pm 12:04 PM
Content Security Policy (CSP): A Comprehensive Guide to Web Security
Content Security Policy (CSP) is a crucial security mechanism safeguarding websites against content injection attacks, primarily Cross-Site Scripting (XSS). This declarative policy empowers developers to create a whitelist of trusted resource origins, controlling how the browser loads resources, uses inline styles and scripts, and handles dynamic JavaScript evaluation (e.g., using eval()). Any attempt to load resources from outside this whitelist is blocked.
Key Concepts:
- Whitelist Approach: CSP operates by defining allowed sources, blocking everything else.
-
HTTP Header Delivery: The policy is implemented via the
Content-Security-PolicyHTTP header. - Directive-Based Control: The header contains directives specifying allowed domains and restricting JavaScript execution to prevent injection attacks.
-
Violation Reporting: The
report-uridirective logs CSP violations, invaluable for production environments. This sends a JSON report detailing the violation to a specified URL.
How CSP Works:
CSP, a W3C Candidate Recommendation, uses the Content-Security-Policy header to deliver directives. Key directives include: default-src, script-src, object-src, style-src, img-src, media-src, frame-src, font-src, and connect-src. default-src acts as a fallback for unspecified directives.
Directives follow a consistent pattern:
-
self: Refers to the current domain. - URL List: Space-separated URLs specifying allowed origins.
-
none: Prohibits loading resources for a given directive (e.g.,object-src 'none'blocks plugins).
A basic CSP allowing resources only from the current domain:
<code>Content-Security-Policy: default-src 'self';</code>
Any attempt to load from another domain is blocked, with a console message. CSP inherently restricts inline scripts and dynamic code evaluation, significantly mitigating injection risks.
While domains are specified, paths are not currently supported. Wildcards (), however, allow for subdomain inclusion (e.g., `.mycdn.com`). Each directive requires explicit domain/subdomain listing; they don't inherit from previous directives.
For data URLs, include data: in the directive (e.g., img-src 'data:'). unsafe-inline (for script-src and style-src) allows inline <script></script> and <style></style> tags, and unsafe-eval (for script-src) enables dynamic code evaluation. Both use opt-in policies; omitting them enforces restrictions.
Browser Compatibility:
CSP 1.0 enjoys broad browser support, with older Internet Explorer versions having limited compatibility.
Monitoring Violations with report-uri:
While development uses browser console logging, production environments benefit from report-uri. This sends HTTP POST requests containing violation details (in JSON format) to a specified URL.
Example:
<code>Content-Security-Policy: default-src 'self';</code>
A violation (e.g., loading from www.google-analytics.com) generates a JSON report sent to the report-uri.
Content-Security-Policy-Report-Only Header:
For testing, use Content-Security-Policy-Report-Only. This reports violations without blocking resources, allowing policy refinement without site disruption. Both headers can be used concurrently.
Implementing CSP:
CSP is set via the HTTP header. Server configuration (Apache, IIS, Nginx) or programmatic methods (PHP's header(), Node.js's setHeader()) can be used.
Real-World Examples:
Facebook and Twitter demonstrate diverse CSP implementations, utilizing wildcards and specific domain allowances.
CSP Level 2 Enhancements:
CSP Level 2 introduces new directives (base-uri, child-src, form-action, frame-ancestors, plugin-types), improved reporting, and nonce/hash-based protection for inline scripts and styles.
Nonce-Based Protection:
A randomly generated nonce is included in both the CSP header and the inline script tag.
Hash-Based Protection:
The server computes the hash of the script/style block, included in the CSP header. The browser verifies this hash before execution.
Conclusion:
CSP significantly enhances web security by controlling resource loading. report-uri facilitates monitoring, and Level 2 introduces further refinements. Implementing CSP is a vital step in building robust and secure web applications.
(Note: The image placeholders remain unchanged as requested.)
The above is the detailed content of Improving Web Security with the Content Security Policy. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
The Developer's Shortcut To Your Udemy-like Platform
Jun 17, 2025 pm 04:43 PM
When developing learning platforms similar to Udemy, the focus isn't only on content quality. Just as important is how that content is delivered. This is because modern educational platforms rely on media that is accessible, fast, and easy to digest.
Cost Effective Reseller Platforms for Buying SSL Certificates
Jun 25, 2025 am 08:28 AM
In a world where online trust is non-negotiable, SSL certificates have become essential for every website. The market size of SSL certification was valued at USD 5.6 Billion in 2024 and is still growing strongly, fueled by surging e-commerce business
5 Best Payment Gateways for SaaS: Your Ultimate Guide
Jun 29, 2025 am 08:28 AM
A payment gateway is a crucial component of the payment process, enabling businesses to accept payments online. It acts as a bridge between the customer and the merchant, securely transferring payment information and facilitating transactions. For
New study claims AI 'understands' emotion better than us — especially in emotionally charged situations
Jul 03, 2025 pm 05:48 PM
In what seems like yet another setback for a domain where we believed humans would always surpass machines, researchers now propose that AI comprehends emotions better than we do.Researchers have discovered that artificial intelligence demonstrates a
Hurricanes and sandstorms can be forecast 5,000 times faster thanks to new Microsoft AI model
Jul 05, 2025 am 12:44 AM
A new artificial intelligence (AI) model has demonstrated the ability to predict major weather events more quickly and with greater precision than several of the most widely used global forecasting systems.This model, named Aurora, has been trained u
Your devices feed AI assistants and harvest personal data even if they’re asleep. Here's how to know what you're sharing.
Jul 05, 2025 am 01:12 AM
Like it or not, artificial intelligence has become part of daily life. Many devices — including electric razors and toothbrushes — have become AI-powered," using machine learning algorithms to track how a person uses the device, how the devi
Would outsourcing everything to AI cost us our ability to think for ourselves?
Jul 03, 2025 pm 05:47 PM
Artificial intelligence (AI) began as a quest to simulate the human brain.Is it now in the process of transforming the human brain's role in daily life?The Industrial Revolution reduced reliance on manual labor. As someone who researches the applicat
Advanced AI models generate up to 50 times more CO₂ emissions than more common LLMs when answering the same questions
Jul 06, 2025 am 12:37 AM
The more precisely we attempt to make AI models function, the greater their carbon emissions become — with certain prompts generating up to 50 times more carbon dioxide than others, according to a recent study.Reasoning models like Anthropic's Claude
