Servers and browsers adhere to a standard known as Content Security Policy (CSP) to interoperably send and receive security policies. A policy restricts what a browser can do with a response, in order to protect the user and server. Policy restrictions are designed to prevent or mitigate various web attacks. In this chapter, you’ll learn how to easily apply CSP with django-csp. This chapter covers CSP Level 2 and finishes with parts of CSP Level 3.
A policy is delivered from a server to a browser by a Content-Security-Policy response header. A policy applies to only the response it arrives with. Every policy contains one or more directives. For example, suppose bank.alice.com adds the CSP header shown in figure 15.1 to each resource. This header carries a simple policy composed of one directive, blocking the browser from executing JavaScript.
