HTTP - Content security policy (CSP)

> (World Wide) Web - (W3|WWW) > (HTTP|HTTPS) - Hypertext Transfer Protocol

1 - About

Through a HTTP header in your server’s response, you can define behaviors that are trusted in the page. CSP can be used to detect and mitigate against the effects of certain attacks, such as Cross Site Scripting (XSS).

CSP is particularly powerful as it includes directives such as script-src that specifies what are valid, allowed sources for JavaScript.

Advertising

3 - Example

  • Given this CSP header
Content-Security-Policy: script-src https://example.com/
<script src="https://not-example.com/js/library.js"></script>

4 - Documentation / Reference

web/http/csp.txt · Last modified: 2019/03/17 23:15 by gerardnico