Content Security Policy

Cross-site scripting (XSS) remains one of the most impacting vulnerability these days. Properly sanitizing user inputs before rendering them is a must. This became easy using Single Page Apps frameworks like React, Vue or Angular. But mistakes and omissions can easily happen. The Content Security Policy (CSP) offers an additional level of protection against XSS attacks.

It relies on an exhaustive listing of the domains from where your application can load assets (fonts, images, stylesheets, javascript, etc.). Thus if a user loads a page where an attacker has injected a malicious resource, the browser will load your page, but prevent the attacker’s resource from loading.

Content Security Policy takes a little bit of effort to implement and maintain. Whenever you add new assets to your application, you will need to update your Content Security Policy accordingly.

Sqreen helps you building a robust policy faster by recording the domains loading assets. Sqreen will pre-filter the nonlegitimate assets and allow you to add the ones you trust.

The CSP comes in two modes: a report-only mode that will just report violations and a protection mode that will block the loaded assets.