Content Security Policy (CSP)


Content Security Policy (CSP) is an HTTP standard introduced to prevent cross-site scripting (XSS) attacks. It works by giving web browsers a whitelist of domains that can serve content, including JavaScript, CSS, HTML frames, and so forth. Any content that the browser is instructed to load that is not from a whitelisted domain will not be loaded.

For smaller sites, where you are not loading content from very many external sources, CSP can be quite easy to configure by hand. But for larger sites with more complex external content requirements, it is easier to let Sqreen automatically configure your CSP.

Enable CSP for your application

The first step is to visit the configuration page for your app, and enable CSP Monitoring Mode. Don't forget to hit "Save changes" when you are done!

CSP_disabled_default.png

At this point, everything is set up, and it's time to start teaching Sqreen about your external resources.

Using Monitoring mode

You will need to restart your web application for the changes to kick in. Once you have done that, navigate to your web application with your web browser. If you look at your JavaScript console, you should see some errors, indicating that the CSP is now in effect in "Report Only" mode.

Don't use Safari for this step

At the moment, Safari's support for CSP reporting is not working with Sqreen. This feature is what enables Sqreen to learn about the external content sources. We're working on making sure Safari and other browsers will work in the future!

step 2.png

Sqreen will automatically detect the external content sources, once you have loaded your web application in your browser. You should carefully examine this list, and ensure that all and only the external resources you rely on show up.

learning mode.png

Once you have decided that one or more of the resources belongs in your CSP, click the green + button to add it to the whitelist.

learning success.png

Save your work!

Don't forget to hit that big green "Save" button at the bottom of the page! ✅

Of course, if you have a very complex reliance on external resources, you might have to visit many of your site's pages to ensure that all of them have been found.

Manually adding domains to the whitelist

You can also add domains manually to the whitelist.

manually add a domain.png

Just add your domain to the popup.

SSL is the default

If your external resource is protected by SSL (it uses an https:// prefix), you can just enter the domain as in the image below.

If your external resource is not protected by SSL (it uses an http:// prefix), you must include an http:// prefix. So, for example.com, you would type http://example.com.

manual.png

Enable protection mode

Once you have your CSP set as you like it, it's time to enforce it. Click the "Protection Mode" button to…wait for it…enable blocking mode.

blocking mode.png

Now, any external resources loaded from a domain not in the CSP whitelist, or a domain that is in the whitelist, but whose content-type doesn't match the authorizations for that domain will be blocked by web browsers. This ensures that attacks that rely on loading unauthorized resources will fail.

Receive security alerts

Sqreen will send you a pulse when an unauthorized resource is loaded at least 5 times, by 5 different IP addresses within a 30 minute window. A CSP pulse means one of two things:

First, it could mean that someone is attempting to hack your web application by injecting unauthorized external resources (and is failing, because your app is protected by your CSP). In these cases, you will probably want to dig deeper into the pulse to understand who is attacking your site and why.

Second, it could mean that your CSP is misconfigured. It is possible that you missed an external resource during monitoring mode, or that your developers have added a new external resource that needs to be whitelisted. In these cases, you can hit the green + button next to the suggested domain on the CSP configuration panel to add the domain to your CSP whitelist.

suggestions.png