It is a response header that allows all the website administrators to control resources that the user is allowed to load for a given page. It helps instruct the browser to load only the allowed content so as to be loaded on the website.
This header is like an additional layer of security which helpful for detection and mitigation of certain kinds of attacks that includes Cross Site Scripting attacks as well as data injection attacks. The attacks mentioned above can be used for everything that is from data theft to a complete site defacement or maybe even distribution of malware. With a very few exceptions, policies in most cases involve specifying the server origins and the script endpoints, which helps guard against XSS attacks.
Attacks like cross-site scripting, mixed issues regarding content security, clickjacking, protocol downgrading along with any kind of code injection that is the result of injection of any untrusted content to any of the trusted resource can be prevented by putting into implementation this header in our web page HTTP response.
Working of CSP:
Being a developer we can specify “Content Security Policy” by the use of a CSP header. Next is, a browser that supports CSP like, Chrome or Firefox, parse header information and determine which all sources are deemed to be trusted or not on the basis of instruction that is sent in the header. So, this is mostly a “whitelist” approach that might consist of instructions such as “self” (that allows inline scripts), specific domains, or nonces or hashes that really need to be present as well as valid so as to load the content.
Enablement in Apache:
The below syntax needs to be added into “httpd.conf” file and the web server restarted so as to make it effective.
Header set Content-Security-Policy “default-src ‘self’;”
Enablement in Nginx:
The syntax mentioned below needs to be added in the server block into the “nginx.conf” file.
add_header Content-Security-Policy “default-src ‘self’;”;
We can also append to the end always in order to make sure that nginx sends header regardless of the response code.
Enablement in Microsoft IIS:
We can either put into use HTTP Response Headers GUI in IIS Manager or maybe add the below mentioned syntax to our “web.config”.