Tech Glossary

Content Security Policy (CSP) is a security feature that helps prevent attacks such as Cross-Site Scripting (XSS) and data injection by controlling which resources a web page is allowed to load. It works by defining a set of rules or directives in HTTP headers that specify the sources of content the browser should trust and execute.

Core Directives:

1. script-src: Controls the allowed sources for JavaScript.

2. style-src: Specifies the sources for CSS stylesheets.

3. img-src: Defines trusted sources for images.

4. default-src: Acts as a fallback for unspecified directives.

5. connect-src: Restricts the URLs for AJAX requests and WebSocket connections.

How CSP Works:

Server Configuration: The server sends CSP rules via HTTP headers or tags.

Browser Enforcement: The browser evaluates the rules and blocks or allows content based on the policy.

Violation Reports: CSP can log policy violations to a server for auditing and troubleshooting.

Benefits:

Prevention of XSS Attacks: Blocks malicious scripts injected into web pages.

Enhanced Control: Provides granular control over the types of content loaded on a site.

Improved Security Posture: Reduces the attack surface of web applications.

Compliance: Helps meet security standards like OWASP Top 10 and GDPR.

Challenges:

Implementation Complexity: Requires careful configuration to avoid blocking legitimate resources.

Compatibility Issues: Some older browsers may not fully support CSP.

Maintenance Overhead: As websites evolve, CSP policies need to be updated accordingly.

Use Cases:

Secure Web Applications: Protecting user data on e-commerce and banking platforms.

Content Integrity: Preventing unauthorized modifications to site content.

Compliance Standards: Enhancing adherence to cybersecurity regulations.

CSP is a powerful tool for improving web security, ensuring that only trusted content is executed within a web page, thus safeguarding both users and organizations from potential threats.