15 Content Security Policy

 

This chapter covers

  • Composing a content security policy with fetch, navigation, and document directives
  • Deploying CSP with django-csp
  • Detecting CSP violations with reporting directives
  • Resisting XSS and man-in-the-middle attacks

Servers and browsers adhere to a standard known as Content Security Policy (CSP) to interoperably send and receive security policies. A policy restricts what a browser can do with a response, in order to protect the user and server. Policy restrictions are designed to prevent or mitigate various web attacks. In this chapter, you’ll learn how to easily apply CSP with django-csp. This chapter covers CSP Level 2 and finishes with parts of CSP Level 3.

A policy is delivered from a server to a browser by a Content-Security-Policy response header. A policy applies to only the response it arrives with. Every policy contains one or more directives. For example, suppose bank.alice.com adds the CSP header shown in figure 15.1 to each resource. This header carries a simple policy composed of one directive, blocking the browser from executing JavaScript.

Figure 15.1 A Content-Security-Policy header forbids JavaScript execution with a simple policy.
CH15_F01_Byrne

15.1 Composing a content security policy

15.1.1 Fetch directives

Navigation and document directives

15.2 Deploying a policy with django-csp

15.3 Using individualized policies

15.4 Reporting CSP violations

15.5 Content Security Policy Level 3

Summary

sitemap