CSP
tags :
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data data injection. These attacks are used for everything from data theft, to site defacement, to malware distribution.
CSP (Content Security Policy) is an elaborate mechanism which allows to attach a policy to a webpage, restricting the things it can do and the origins it can interact with. It is mainly meant to aid in the prevention of various code injection attacks. It is usually sent in the `Content-Security-Policy` header in the response to the HTML request. Please see here for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
CSP: default-src #
The HTTP Content-Security-Policy (CSP) default-src directive serves as a fallback for the other CSP fetch directives. For each of the following directives that are absent, the user agent looks for the default-src directive and uses this value for it:
- child-src
- connect-src
- font-src
- frame-src
- img-src
- manifest-src
- media-src
- object-src
- prefetch-src
- script-src
- script-src-elem
- script-src-attr
- style-src
- style-src-elem
- style-src-attr
- worker-src
Example #
Content-Security-Policy: default-src 'self'; script-src https://example.com
# is the same as:
Content-Security-Policy: connect-src 'self';
font-src 'self';
frame-src 'self';
img-src 'self';
manifest-src 'self';
media-src 'self';
object-src 'self';
script-src https://example.com;
style-src 'self';
worker-src 'self'
CSP: none #
What does none mean in a CSP Policy? #
When you encounter the none keyword in a Content-Security-Policy header directive it means that no resources are allowed to load. So if for example you have the following policy:
Content-Security-Policy: img-src 'none'
Then images will be prevented from loading on the page.