Content Security Policy (CSP)
For smaller sites, where you are not loading content from very many external sources, CSP can be quite easy to configure by hand. But for larger sites with more complex external content requirements, it is easier to let Sqreen automatically configure your CSP.
Enable CSP for your application
The first step is to visit the configuration page for your app, and enable CSP Monitoring Mode. Don't forget to hit "Save changes" when you are done!
At this point, everything is set up, and it's time to start teaching Sqreen about your external resources.
Using Monitoring mode
Don't use Safari for this step
At the moment, Safari's support for CSP reporting is not working with Sqreen. This feature is what enables Sqreen to learn about the external content sources. We're working on making sure Safari and other browsers will work in the future!
Sqreen will automatically detect the external content sources, once you have loaded your web application in your browser. You should carefully examine this list, and ensure that all and only the external resources you rely on show up.
Once you have decided that one or more of the resources belongs in your CSP, click the green + button to add it to the whitelist.
Save your work!
Don't forget to hit that big green "Save" button at the bottom of the page! ✅
Of course, if you have a very complex reliance on external resources, you might have to visit many of your site's pages to ensure that all of them have been found.
Manually adding domains to the whitelist
You can also add domains manually to the whitelist.
Just add your domain to the popup.
SSL is the default
If your external resource is protected by SSL (it uses an
https:// prefix), you can just enter the domain as in the image below.
If your external resource is not protected by SSL (it uses an
http:// prefix), you must include an
http:// prefix. So, for example.com, you would type
Enable protection mode
Once you have your CSP set as you like it, it's time to enforce it. Click the "Protection Mode" button to…wait for it…enable blocking mode.
Now, any external resources loaded from a domain not in the CSP whitelist, or a domain that is in the whitelist, but whose content-type doesn't match the authorizations for that domain will be blocked by web browsers. This ensures that attacks that rely on loading unauthorized resources will fail.
Receive security alerts
Sqreen will send you a pulse when an unauthorized resource is loaded at least 5 times, by 5 different IP addresses within a 30 minute window. A CSP pulse means one of two things:
First, it could mean that someone is attempting to hack your web application by injecting unauthorized external resources (and is failing, because your app is protected by your CSP). In these cases, you will probably want to dig deeper into the pulse to understand who is attacking your site and why.
Second, it could mean that your CSP is misconfigured. It is possible that you missed an external resource during monitoring mode, or that your developers have added a new external resource that needs to be whitelisted. In these cases, you can hit the green + button next to the suggested domain on the CSP configuration pain to add the domain to your CSP whitelist.