Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com
This header also takes two other forms: X-Content-Security-Policy and X-WebKit-CSP. As browsers mature, ‘X-‘ prefixes and WebKit-CSP will be deprecated. For best possible support, it is recommended a policy be delivered with all three headers. Below shows an ideal response using all three variations:
Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com X-Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com X-WebKit-CSP: default-src 'self'; script-src 'self' cdn.example.com
Ethical hacking professionals should be aware that if CSP is in use by an application, but is not delivered on particular pages, this likely indicates an oversight by application developers and should be raised as an issue. CSP is effective on a per page basis, so it cannot prevent an XSS vulnerability if the header is not delivered on a vulnerable page.
Content-Security-Policy: default-src 'self'; script-src 'nonce-Nc3n83cnSAd3wc3Sasdfn939hc3' […] <script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3"> alert("Allowed because nonce is valid.") </script>
connect-src – Controls where Websockets, XMLHttpRequests, and Server-Sent Events can connect. This could mitigate a parameter tampering vulnerability if these functions are generated dynamically. reflected-xss (experimental) – This serves as a direct replacement for the X-XSS-Protection header.
reflected-xss filter reflected-xss block Has the following equivalents:
X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block
Reporting CSP 1.1 introduces reporting capabilities. When a violation of your policy occurs, the user’s web browser will send the violation details in JSON format to a destination of your choosing. It should be understood that this does open the door to new abuse cases and should be used with the same caution as any other functional component of your application. CSP can also operate in “report only” mode, where policies are not enforced, but reports of violations will still be sent to you. This can be very useful to test out a policy before deployment. CSP can be difficult to determine just how it will affect a large application. To use CSP in this mode, the policy should be delivered via the following header:
Policy Generation Policies will often be best generated by hand, but using a generation tool will give you something to start with. Mal Curtis has a very useful CSP generation tool that can get you started quickly making a policy. Further reading: Up to date details for browser support – http://caniuse.com/contentsecuritypolicy HTML5 Rocks Tutorial – http://www.html5rocks.com/en/tutorials/security/content-security-policy/ Full CSP 1.1 specification working draft – https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html