The HTTP Content Security Policy header

This is an interesting header. It allows you to set rules for different classes of assets. An assets is an image, video, javascript, ajax, etc. request included in one of your webpages.

For example, a banks might set "only allows assets from this server". So if a page links to an external javascript URL, a browser will ignore it.

You can also set a 'report violations' URL. So the browser will send a warning message to the website, Its a POST request to a URL you set in the header.

The full syntax is available here, but here are a few examples

The policy can be set in a webpage,


<!-- 
this a a HTML example
- everything comes from this website, 
- except images can come from any secure website 
-->
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; image-src https:*"> 

or erver config.

# virtual hosts, .htaccess
#
# This example sets
# - by default, everything must be loaded from this domain
# - except images from anywhere
# - except javascript from self or the 2 listed domain names
Content-Security-Policy: default-src 'self'; img-src *; script-src 'self' cdn.jquery.com maps.google.com

# this example sets the reporting url
Content-Security-Policy: default-src 'self'; report-uri https://www.example.com/violation-reports.cgi




No comments:

Post a Comment