Content Security Policy (CSP)
Content security policy is a security feature that web designers and server administrators can use to prevent attacks such as cross-site scripting (XSS).
CSP is a security header that can be used to specify trusted domains. For each domain, you can configure which resources they are allowed to load. Resources can be stylesheets, javascripts, iFrames, fonts or images.
An example of a simple CSP header:
Content-Security-Policy: default-src 'self' example.com
This CSP header specifies that the browser may only reload resources from the following two domains:
- 'self': the domain under which the page is currently running.
- example.com: Resources may also be reloaded from example.com.
Default-src' is used to specify the behavior for all possible sources. But it is possible to set different rules for loading images, stylesheets, fonts or script files:
Allow reloading of scripts from any subdomain of somecdn.com as well as your own domain (_self), allow inline scripts (scripts in <script> tags within the HTML DOM and allow scripts to call eval() )
Content-Security-Policy: script-src 'self' 'unsafe-eval' 'unsafe-inline' *.somecdn.com;
Allow reloading images from any subdomain of ytimg.com as well as your own site:
Content-Security-Policy: img-src 'self' *.ytimg.com;
Allow iFrames from the domains cookiebot.com, youtube-nokookie.com and fonts.gstatic.com
Content security policy: frame-src 'self' *.cookiebot.com *.youtube-nocookie.com fonts.gstatic.com;
It is possible to set different policies for individual sources:
Content-Security-Policy: frame-src 'self' somedomain.com; script-src 'self' someotherdomain.com; font-src fonts.gstatic.com;
Apache and nginx differ slightly in syntax, but the principle is identical.