Web security: CSP

Seventh post in the web security series.

My previous post was about HTTP headers, there is one more and not the least: Content Security Policy (CSP).

CSP, currently in version 1, soon in version 2, is a set of directives to restrict the origins of your web application content, what is allowed to do… in order to prevent XSS.

For instance you can say that all images come from your domain, javascript files come from your domain, google.com and facebook.com, that the javascript eval function is forbidden, that inline javascript is forbidden, that CSS comes from your domain only…

It's very powerful, I tried it and set it in a quite restrictive way and I found that it made me write javascript in a better/cleaner way.

CSP in its first version is supported by most web browsers (except Internet Explorer…) and I really encourage you to try it. It's not easy to put it in an existing application but it's worth the while.

CSP help preventing XSS attacks, but that does not prevent you from writting good code in the first place (more about that later 😉). But as good as you can be when writting your web application, it can happen that you let a XSS vulnerability go to production, in that case CSP is your safeguard.

Check the Content Security Policy Reference.