Content Security Policy (CSP)
What is Content Security Policy (CSP)?
Content Security Policy (CSP) is a security standard where the HTTP headers tell the visitor's web browser which resources are allowed on that website. The browser can also be asked to report security breaches in the content embedded on the site to the administrator. The aim of CSP is to limit the inclusion of malicious code and other components on the site, thus preventing attacks such as Cross-Site Scripting (XSS) and clickjacking. To use CSP, site visitors must have a modern web browser (Chrome version 25 and above, Edge 14+, Firefox 23+, IE 10+, Opera 15+, Safari 7+).
Attacks that can be prevented with CSP
By implementing CSP, you can prevent attacks such as:
Cross Site Scripting (XSS)
With Cross-Site Scripting (XSS) an attacker can insert malicious code into a site and gain access to data processed by the site. The user's browser will execute the malicious code if the browser does not verify that the code originates from the source. More information (Wikipedia).
Clickjacking
An attacker modifies elements (e.g. buttons) on a website, affecting the functionality of the website. Learn more (Wikipedia).
How CSP works
Information about allowed resources is passed from the server to the browser as the HTTP header Content-Security-Policy, which can be used to define allowed sources for scripts, stylesheets, embedded fonts, frames and other content types. The CSP policy can be used to allow either individual files or entire domains and protocols. In practice, the HTTP header tells the user's browser that "scripts can only be read from servers A and B, style sheets from servers A and C, and images from servers A, B, D". The browser then refuses to open any other resources, so that malicious code injected into the site by an attacker will not run. If the site tries to offer other resources, the browser can report this to the site administrator, who can immediately take action.
By default, strict CSP rules are not enforced at Seravo. Implementing CSP is a process in which it is important to ensure that the site developers ensure the site's functionalities will not be affected by the CSP rules. Furthermore, it is important to consider how new features can be implemented if CSP is enabled. It is also important to actively monitor the reports produced by CSP, so that any anomalies can be detected. A flawed implementation can easily mean a broken website. An additional challenge to the adoption of the technology is posed by WordPress, which still has a few known CSP incompatibilities at its core. However, when used correctly, CSP provides a significant additional layer of protection against attack attempts, and can effectively prevent hacking attempts.
CSP has its own chapter in Seravo's developer documentation.
More information about CSP
You can read more about CSP and its implementation for example in Mozilla's developer resources.