HTTP - Content security policy (CSP)

> (World Wide) Web - (W3|WWW) > (HTTP|HTTPS) - Hypertext Transfer Protocol

1 - About

Through a HTTP header in your server’s response, you can define behaviors that are trusted in the page. CSP can be used to detect and mitigate against the effects of certain attacks, such as Cross Site Scripting (XSS).

CSP is particularly powerful as it includes directives such as script-src that specifies what are valid, allowed sources for JavaScript.

Advertising

3 - Example

3.1 - Third party script

  • Given this CSP header
Content-Security-Policy: script-src https://example.com/
<script src="https://not-example.com/js/library.js"></script>

3.2 - Block HTTP call on HTTPS page

<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content" />

4 - Documentation / Reference