Content Security Policy

Print Friendly, PDF & Email

Content Security Policy (CSP) was developed to save online websites and applications from cross-site scripting (XSS) attacks. While the first version of CSP was only published in 2012, attempts to devise such a method can be traced back to 2004. CSP version 2 is the current version of the standard and is supported by both Chrome and Firefox, while Safari and edge only support version 1. It works when the web server sends a special header to the web browser identifying that the server implements a content security policy. It dictates from where the browser should load web components like stylesheets, script files, images, and fonts and ascertain their original form hasn’t been altered (SRI – sub-resource integrity verification). The web browser should then reference this information when loading the HTML code for the site and prevent any files loading from sources that have not been whitelisted by the policy.

While this won’t render all XSS style attacks impossible, it will prevent all XSS attacks involving tricking the browser to load malicious files from external websites. Implementing CSP is as simple as placing a few files of configuration in your web server configuration. When running Apache web servers you can modify the virtualhost configuration for your website or use a .htaccess file for the directory your website resides within to reflect the configuration changes. For anyone running a website on a dedicated server or VPS then the virtualhost configuration method is recommended whilst the .htaccess file method should only be needed if your website is on shared web hosting.

CSP is implemented by incorporating certain instructions called directives to change the web server configurations. All these directives and their potential source declarations can be found here: