Bring your software development workflows to security
A Content Security Policy (CSP) is based on a powerful HTTP header that restricts the browser to loading external assets such as scripts, styles or media. Enforcing a CSP can protect your app from Cross Site Scripting (XSS), clickjacking and other code injection attacks.
The CSP lists all the authorized domains and resources your app is allowed to use (web workers, image, font, media, scripts, frames, stylesheets). Thus, if a user loads a page where an attacker has injected a malicious resource, the browser will load your page, but prevent the attacker’s resource from loading.
A CSP is a very powerful protection but can be hard to manage at scale.
This plugin helps you to craft and deploy a strong CSP by listing and filtering all the domains seen from your traffic and maintaining it by notifying you when new domain try to load resources.
Once enabled, it will automatically set the
Content-Security-Policy HTTP header, depending on which mode you enabled (reporting or blocking).
For each violation report, the domain is matched with internal blacklists to exclude non legit domains.
Based on the whitelisted domains and their category (script, connection source, media, etc), the right policy is generated. You can also add domain manually anytime.