Content Security Policy Header

What does it protect against?

• This header protects the user against XSS Attacks where malicious users try to call their own scripts from somewhere else on the internet in your site ^[1]

What it does

• This header forces you to list all of the sources for content that you will use on your site that are outside of your domain^[1:1]

Notes

• default-src: if we don't allow it explicitly somewhere else don't load the source^[1:2]
• script-src: a list of domains or exact url of scripts that are allowed on your site^[1:3]
• object-src: valid source for <object>, <embed>, and <applet>^[1:4]
• style-src: valid source for styles^[1:5]
• img-src: valid source for images^[1:6]
• media-src: valid source for video/audio^[1:7]
• frame-src: valid source for frames^[1:8]
• font-src: valid source for fonts^[1:9]
• script-nonce: Definition
• report-uri: The CSP will create a report for all blocked content and other helpful information and send it to the uri specified. The only issue with this iss the information will be public so attackers can see it^[1:10]

Examples

• Content-Security-Policy: default-src 'self'; block-all-mixed-content;^[1:11]
  • This blocks everything and is only to be used on static sites