Security Hub

Bring your software development workflows to security

csp

Content Security Policy

Signals & Triggers

On request
If

Actions

  • Set the http header

Details

A Content Security Policy (CSP) is based on a powerful HTTP header that restricts the browser to loading external assets such as scripts, styles or media. Enforcing a CSP can protect your app from Cross Site Scripting (XSS), clickjacking and other code injection attacks.

The CSP lists all the authorized domains and resources your app is allowed to use (web workers, image, font, media, scripts, frames, stylesheets). Thus, if a user loads a page where an attacker has injected a malicious resource, the browser will load your page, but prevent the attacker’s resource from loading.

A CSP is a very powerful protection but can be hard to manage at scale.

This plugin helps you to craft and deploy a strong CSP by listing and filtering all the domains seen from your traffic and maintaining it by notifying you when new domain try to load resources. Once enabled, it will automatically set the Content-Security-Policy-Report-Only or Content-Security-Policy HTTP header, depending on which mode you enabled (reporting or blocking).

Advanced details

For each violation report, the domain is matched with internal blacklists to exclude non legit domains.

Based on the whitelisted domains and their category (script, connection source, media, etc), the right policy is generated. You can also add domain manually anytime.

Language support

  • Ruby
  • Python
  • Node.js
  • PHP
  • Java

Data collected by Sqreen

  • CSP violations report

On attack

Build amazing products. Keep them safe.

Dive into Sqreen with our 14-day trial, and experience seamlessly security. Sign up Request demo