Content Security Policy
Last updated on July 31, 2024
What is Content Security Policy?
Content Security Policy (CSP) is a security feature websites use to protect against common web vulnerabilities and attacks such as cross-site scripting (XSS) and data injection. CSP works by setting up a policy determining which content sources or types can load or execute on a webpage. It can restrict the loading of external resources so that they only come from trusted sources. It can also control how inline scripts or event handlers can run.
Implementation
CSP is implemented by defining an HTTP header containing a set of rules or directives, instructing the browser on handling different types of content and resources on the webpage.
To implement Cookieyes with CSP, you can set “*.cookieyes.com” and “cdn.cookieyes.com” as authorised domains/sub-domains; we also support the following directives.
default-src | ‘none‘ |
script-src | ‘self‘ cdn-cookieyes.com |
style-src | ‘self‘ ‘unsafe-inline‘ |
connect-src | ‘self‘ *.cookieyes.com cdn-cookieyes.com |
img-src | ‘self‘ cdn-cookieyes.com |
font-src | ‘self‘ |
object-src | ‘none‘ |
The security protocol requirements may be different for your organisation.
In a meta tag, you can implement CSP using the directives and domain mentioned above, as shown in the following illustration:
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' cdn-cookieyes.com; style-src 'self' 'unsafe-inline'; connect-src 'self' *.cookieyes.com cdn-cookieyes.com; img-src 'self' cdn-cookieyes.com; object-src 'none'; font-src 'self';" />
To assess the effectiveness and correctness of your CSP implementation, you can analyze and evaluate it through Google CSP Evaluator, which allows you to input your CSP header and get a report on its effectiveness. It provides recommendations and suggestions to improve your policy based on best practices.