Importance of Content-Security-Policy HTTP Header

In recent times public sites are being injected with content that claim to be of a legitimate website but in reality are content hosted somewhere else. On implementing and executing this on the victim's computer, the attacker can take privilege of them in any form. These are possible through attacks such as XSS, clickjacking, etc. To prevent such malicious activities, Content-security policy was introduced.

The primary use of content security policy is to prevent Cross-site scripting (XSS). One might wonder how by just implementing CSP can prevent a critical attack such as XSS. Well, to our understanding when any developer uses content security polity on their application header, it will prevent the hackers from forcing the browser from implementing malicious codes or script on the web page.

Following are the ways CSP blocks unknown contents:

  • An item is not downloaded if the origin is not allowed by the CSP.
  • If it's a script, and it comes from an unpermitted source, it's not executed.
  • You define a list of rules, and anything which doesn't match that list of rules is eliminated before it reaches a user's computer.

Content security policy must be included particularly for applications that manage critical data such as administrative UIs, device management consoles, messages or media files, etc. to secure themselves from attacks that include codes and scripts.