15 Content Security Policy

 

This chapter covers

  • Composing a content security policy with fetch, navigation, and document directives
  • Deploying CSP with django-csp
  • Detecting CSP violations with reporting directives
  • Resisting XSS and man-in-the-middle attacks

Servers and browsers adhere to a standard known as Content Security Policy (CSP) to interoperably send and receive security policies. A policy restricts what a browser can do with a response in order to protect the user and server. Policy restrictions are designed to prevent or mitigate various web attacks. In this chapter you learn how to easily apply CSP with django-csp. This chapter covers CSP Level 2 and it finishes with parts of CSP Level 3.

A policy is delivered from a server to a browser by a Content-Security-Policy response header. A policy applies to only the response it arrives with. Every policy contains one or more directives. For example, suppose bank.alice.com adds the following CSP header to each resource. This header carries a simple policy composed of one directive, blocking the browser from executing JavaScript.

Figure 15.1 A Content-Security-Policy header forbids JavaScript execution with a simple policy

15.1  Composing a content security policy

15.1.1    Fetch directives

15.1.2    Navigation and document directives

15.2  Deploying a policy with django-csp

15.3  Individualized policies

15.4  Reporting CSP violations

15.5  Content Security Policy Level 3

15.6  Summary

sitemap