Severity: Best Practice
CSP is an added layer of security that helps to mitigate mainly Cross-site Scripting attacks.
CSP can be enabled instructing the browser with a Content-Security-Policy directive in a response header;
Content-Security-Policy: script-src 'self';
or in a meta tag;
<meta http-equiv="Content-Security-Policy" content="script-src 'self';">
In the above example, you can restrict script loading only to the same domain. It will also restrict inline script executions both in the element attributes and the event handlers. There are various directives which you can use by declaring CSP:
When setting the CSP directives, you can also use some CSP keywords:
In addition to CSP keywords, you can also use wildcard or only a scheme when defining whitelist URLs for the points. Wildcard can be used for subdomain and port portions of the URLs:
Content-Security-Policy: script-src https://*.example.com;
Content-Security-Policy: script-src https://example.com:*;
Content-Security-Policy: script-src https:;
It is also possible to set a CSP in Report-Only mode instead of forcing it immediately in the migration period. Thus you can see the violations of the CSP policy in the current state of your web site while migrating to CSP:
Content-Security-Policy-Report-Only: script-src 'self'; report-uri: https://example.com;
There is no direct impact of not implementing CSP on your website. However, if your website is vulnerable to a Cross-site Scripting attack CSP can prevent successful exploitation of that vulnerability. By not implementing CSP you’ll be missing out on this extra layer of security.
Content-Security-Policy
in HTTP response headers that instruct the browser to apply the policies you specified.Enable CSP on your website by sending the Content-Security-Policy
in HTTP response headers that instruct the browser to apply the policies you specified.