Content Security Policy (CSP): A Comprehensive Guide to Web Security
Content Security Policy (CSP) is a crucial security mechanism safeguarding websites against content injection attacks, primarily Cross-Site Scripting (XSS). This declarative policy empowers developers to create a whitelist of trusted resource origins, controlling how the browser loads resources, uses inline styles and scripts, and handles dynamic JavaScript evaluation (e.g., using eval()). Any attempt to load resources from outside this whitelist is blocked.
Key Concepts:
- Whitelist Approach: CSP operates by defining allowed sources, blocking everything else.
-
HTTP Header Delivery: The policy is implemented via the
Content-Security-PolicyHTTP header. - Directive-Based Control: The header contains directives specifying allowed domains and restricting JavaScript execution to prevent injection attacks.
-
Violation Reporting: The
report-uridirective logs CSP violations, invaluable for production environments. This sends a JSON report detailing the violation to a specified URL.
How CSP Works:
CSP, a W3C Candidate Recommendation, uses the Content-Security-Policy header to deliver directives. Key directives include: default-src, script-src, object-src, style-src, img-src, media-src, frame-src, font-src, and connect-src. default-src acts as a fallback for unspecified directives.
Directives follow a consistent pattern:
-
self: Refers to the current domain. - URL List: Space-separated URLs specifying allowed origins.
-
none: Prohibits loading resources for a given directive (e.g.,object-src 'none'blocks plugins).
A basic CSP allowing resources only from the current domain:
<code>Content-Security-Policy: default-src 'self';</code>
Any attempt to load from another domain is blocked, with a console message. CSP inherently restricts inline scripts and dynamic code evaluation, significantly mitigating injection risks.
While domains are specified, paths are not currently supported. Wildcards (), however, allow for subdomain inclusion (e.g., `.mycdn.com`). Each directive requires explicit domain/subdomain listing; they don't inherit from previous directives.
For data URLs, include data: in the directive (e.g., img-src 'data:'). unsafe-inline (for script-src and style-src) allows inline <script></script> and <style></style> tags, and unsafe-eval (for script-src) enables dynamic code evaluation. Both use opt-in policies; omitting them enforces restrictions.
Browser Compatibility:
CSP 1.0 enjoys broad browser support, with older Internet Explorer versions having limited compatibility.
Monitoring Violations with report-uri:
While development uses browser console logging, production environments benefit from report-uri. This sends HTTP POST requests containing violation details (in JSON format) to a specified URL.
Example:
<code>Content-Security-Policy: default-src 'self';</code>
A violation (e.g., loading from www.google-analytics.com) generates a JSON report sent to the report-uri.
Content-Security-Policy-Report-Only Header:
For testing, use Content-Security-Policy-Report-Only. This reports violations without blocking resources, allowing policy refinement without site disruption. Both headers can be used concurrently.
Implementing CSP:
CSP is set via the HTTP header. Server configuration (Apache, IIS, Nginx) or programmatic methods (PHP's header(), Node.js's setHeader()) can be used.
Real-World Examples:
Facebook and Twitter demonstrate diverse CSP implementations, utilizing wildcards and specific domain allowances.
CSP Level 2 Enhancements:
CSP Level 2 introduces new directives (base-uri, child-src, form-action, frame-ancestors, plugin-types), improved reporting, and nonce/hash-based protection for inline scripts and styles.
Nonce-Based Protection:
A randomly generated nonce is included in both the CSP header and the inline script tag.
Hash-Based Protection:
The server computes the hash of the script/style block, included in the CSP header. The browser verifies this hash before execution.
Conclusion:
CSP significantly enhances web security by controlling resource loading. report-uri facilitates monitoring, and Level 2 introduces further refinements. Implementing CSP is a vital step in building robust and secure web applications.
(Note: The image placeholders remain unchanged as requested.)
The above is the detailed content of Improving Web Security with the Content Security Policy. For more information, please follow other related articles on the PHP Chinese website!
Behind the first Android access to DeepSeek: Seeing the power of womenMar 12, 2025 pm 12:27 PMThe rise of Chinese women's tech power in the field of AI: The story behind Honor's collaboration with DeepSeek women's contribution to the field of technology is becoming increasingly significant. Data from the Ministry of Science and Technology of China shows that the number of female science and technology workers is huge and shows unique social value sensitivity in the development of AI algorithms. This article will focus on Honor mobile phones and explore the strength of the female team behind it being the first to connect to the DeepSeek big model, showing how they can promote technological progress and reshape the value coordinate system of technological development. On February 8, 2024, Honor officially launched the DeepSeek-R1 full-blood version big model, becoming the first manufacturer in the Android camp to connect to DeepSeek, arousing enthusiastic response from users. Behind this success, female team members are making product decisions, technical breakthroughs and users
DeepSeek's 'amazing' profit: the theoretical profit margin is as high as 545%!Mar 12, 2025 pm 12:21 PMDeepSeek released a technical article on Zhihu, introducing its DeepSeek-V3/R1 inference system in detail, and disclosed key financial data for the first time, which attracted industry attention. The article shows that the system's daily cost profit margin is as high as 545%, setting a new high in global AI big model profit. DeepSeek's low-cost strategy gives it an advantage in market competition. The cost of its model training is only 1%-5% of similar products, and the cost of V3 model training is only US$5.576 million, far lower than that of its competitors. Meanwhile, R1's API pricing is only 1/7 to 1/2 of OpenAIo3-mini. These data prove the commercial feasibility of the DeepSeek technology route and also establish the efficient profitability of AI models.
Top 10 Best Free Backlink Checker Tools in 2025Mar 21, 2025 am 08:28 AMWebsite construction is just the first step: the importance of SEO and backlinks Building a website is just the first step to converting it into a valuable marketing asset. You need to do SEO optimization to improve the visibility of your website in search engines and attract potential customers. Backlinks are the key to improving your website rankings, and it shows Google and other search engines the authority and credibility of your website. Not all backlinks are beneficial: Identify and avoid harmful links Not all backlinks are beneficial. Harmful links can harm your ranking. Excellent free backlink checking tool monitors the source of links to your website and reminds you of harmful links. In addition, you can also analyze your competitors’ link strategies and learn from them. Free backlink checking tool: Your SEO intelligence officer
Midea launches its first DeepSeek air conditioner: AI voice interaction can achieve 400,000 commands!Mar 12, 2025 pm 12:18 PMMidea will soon release its first air conditioner equipped with a DeepSeek big model - Midea fresh and clean air machine T6. The press conference is scheduled to be held at 1:30 pm on March 1. This air conditioner is equipped with an advanced air intelligent driving system, which can intelligently adjust parameters such as temperature, humidity and wind speed according to the environment. More importantly, it integrates the DeepSeek big model and supports more than 400,000 AI voice commands. Midea's move has caused heated discussions in the industry, and is particularly concerned about the significance of combining white goods and large models. Unlike the simple temperature settings of traditional air conditioners, Midea fresh and clean air machine T6 can understand more complex and vague instructions and intelligently adjust humidity according to the home environment, significantly improving the user experience.
Another national product from Baidu is connected to DeepSeek. Is it open or follow the trend?Mar 12, 2025 pm 01:48 PMDeepSeek-R1 empowers Baidu Library and Netdisk: The perfect integration of deep thinking and action has quickly integrated into many platforms in just one month. With its bold strategic layout, Baidu integrates DeepSeek as a third-party model partner and integrates it into its ecosystem, which marks a major progress in its "big model search" ecological strategy. Baidu Search and Wenxin Intelligent Intelligent Platform are the first to connect to the deep search functions of DeepSeek and Wenxin big models, providing users with a free AI search experience. At the same time, the classic slogan of "You will know when you go to Baidu", and the new version of Baidu APP also integrates the capabilities of Wenxin's big model and DeepSeek, launching "AI search" and "wide network information refinement"
Prompt Engineering for Web DevelopmentMar 09, 2025 am 08:27 AMAI Prompt Engineering for Code Generation: A Developer's Guide The landscape of code development is poised for a significant shift. Mastering Large Language Models (LLMs) and prompt engineering will be crucial for developers in the coming years. Th
Building a Network Vulnerability Scanner with GoApr 01, 2025 am 08:27 AMThis Go-based network vulnerability scanner efficiently identifies potential security weaknesses. It leverages Go's concurrency features for speed and includes service detection and vulnerability matching. Let's explore its capabilities and ethical
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
Atom editor mac version download
The most popular open source editor
