Understanding and Implementing Content Security Policy (CSP)
Jul 30, 2025 am 05:33 AM
Start with Content-Security-Policy-Report-Only to monitor violations without enforcement. 2. Set up a report-uri endpoint to collect and analyze CSP violation reports. 3. Build a strict policy using default-src 'none' and explicitly allow only required sources. 4. Eliminate unsafe practices by replacing inline scripts with external files or using nonces/hashes. 5. Deploy the enforced policy and continuously monitor reports to refine directives. CSP must be implemented gradually, avoiding 'unsafe-inline' and 'unsafe-eval', whitelisting only trusted domains, and ensuring compatibility with your site’s functionality, all while maintaining robust reporting to detect issues early.
Content Security Policy (CSP) is a powerful browser feature that helps prevent a wide range of attacks, especially cross-site scripting (XSS) and data injection attacks. By defining which sources of content are allowed to load on a web page, CSP acts as a defense-in-depth mechanism, limiting the damage malicious scripts can cause—even if they somehow get injected.
Here’s how to understand and implement CSP effectively.
What Is Content Security Policy?
CSP is an HTTP response header (Content-Security-Policy) that lets you declare which domains and types of content are permitted to be loaded and executed by the browser. For example, you can specify:
- Where scripts can be loaded from
- Which domains can embed your site in an iframe
- Whether inline scripts or
eval()are allowed
Without CSP, browsers will load and execute scripts from any source—including potentially malicious ones injected via vulnerabilities.
CSP works by defining a policy—a string of directives—sent in the HTTP header:
Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'
Each directive controls a different type of resource.
Key CSP Directives You Should Know
Here are the most commonly used directives:
default-src: Fallback for most resource types if not explicitly set.script-src: Controls where JavaScript can be loaded from (including inline andeval()).style-src: Governs CSS sources, including inline styles.img-src: Defines valid image sources.connect-src: Restricts URLs that can be loaded via script (e.g.,fetch,XMLHttpRequest).font-src: Specifies allowed font sources.frame-ancestors: Controls which sites can embed your page (replacesX-Frame-Options).object-src: For plugins like Flash (should be restricted).base-uri: Limits the<base>tag to prevent redirection attacks.form-action: Restricts URLs that can be used as form targets.
?? Best Practice: Avoid
'unsafe-inline'and'unsafe-eval'. These defeat the purpose of CSP by allowing dangerous execution patterns.
How to Implement CSP Step-by-Step
Implementing CSP can be tricky because overly strict policies can break your site. Follow these steps:
1. Start in Report-Only Mode
Use Content-Security-Policy-Report-Only to test your policy without enforcing it:
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report-endpoint
This allows you to collect violations via a reporting endpoint without disrupting users.
2. Set Up a Report Endpoint
Add a report-uri or report-to directive to receive violation reports:
report-uri /csp-violation-capture
Your server should accept POST requests to this endpoint and log the JSON reports. Example report:
{
"csp-report": {
"document-uri": "https://example.com/page",
"violated-directive": "script-src 'self'",
"blocked-uri": "https://malicious.com/evil.js",
"original-policy": "script-src 'self'; ..."
}
}These reports help identify what needs to be allowed or fixed.
3. Build a Realistic Policy
Start with a restrictive base and allow only what's necessary:
Content-Security-Policy: default-src 'none'; script-src 'self' https://trusted-cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://images.example.com; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri 'self';
- Use
'none'as default to block everything unless explicitly allowed. - Only add third-party domains you truly depend on (e.g., Google Fonts, analytics).
4. Eliminate Unsafe Practices
To strengthen CSP:
- Replace inline scripts with external files.
- Use
nonceorhashfor unavoidable inline scripts:
<script nonce="2726c7f26c"> // inline script </script>
Then in CSP:
script-src 'self' 'nonce-2726c7f26c'
- Avoid
eval(); refactor code if needed.
5. Deploy and Monitor
Once testing is complete, switch from Report-Only to full enforcement. Continue monitoring reports to catch edge cases.
Common Pitfalls and Tips
- *Don’t allow `
orunsafe-inline` in production.** They undermine security. - CDNs and external scripts must be explicitly whitelisted.
-
Data URLs (
data:) should be limited to specific directives likeimg-src. -
Self includes the same scheme—if your site is HTTPS,
'self'won’t allow HTTP. - Browser support is excellent, but always test in major browsers.
Final Thoughts
CSP isn’t a silver bullet, but it’s a critical layer in modern web security. Start small, use reporting, and gradually tighten your policy. The goal isn’t perfection on day one—it’s progress toward reducing attack surface.
With careful implementation, CSP can block entire classes of attacks before they execute. It’s not complex, but it does require attention to detail. Get it right, and you’ll make XSS much harder to exploit.
Basically, define what your site needs, block the rest, and keep an eye on the reports.
The above is the detailed content of Understanding and Implementing Content Security Policy (CSP). For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What is Content Security Policy (CSP) header and why is it important?
Apr 09, 2025 am 12:10 AM
CSP is important because it can prevent XSS attacks and limit resource loading, improving website security. 1.CSP is part of HTTP response headers, limiting malicious behavior through strict policies. 2. The basic usage is to only allow loading resources from the same origin. 3. Advanced usage can set more fine-grained strategies, such as allowing specific domain names to load scripts and styles. 4. Use Content-Security-Policy-Report-Only header to debug and optimize CSP policies.
PHP8.1 released: supports CSP (Content Security Policy)
Jul 09, 2023 pm 06:52 PM
PHP8.1 released: supports CSP (Content Security Policy). With the development of the Internet, network security issues have increasingly become the focus of attention. In order to protect users' privacy and security, more websites are beginning to adopt Content Security Policy (CSP) to limit the content that can be executed and the resources that can be loaded in web pages. In the latest release of PHP 8.1, native support for CSP has been introduced, providing developers with better tools to enhance the security of web pages. CSP allows web page developers to restrict web pages by specifying the resource sources that are allowed to be loaded.
Microsoft shares helpful Group Policy tutorials to get the most out of Windows Updates
May 02, 2023 pm 09:22 PM
Microsoft has shared a helpful reference for organizations to set appropriate Group Policy settings for various devices. These include: Single-user or personal devices Multi-user devices Educational devices Kiosks and billboards Factory machines, roller coasters and the like Microsoft Teams meeting room devices However, the company recommends using the default settings for most use cases. The policy discussed here can be found here: Policy CSP - Update Management Single-User Devices A single-user device is a user-owned or company-owned device that is used by one person. In addition to personal computing tasks, these devices can be used for mixed work activities, including meetings, presentations, and any number of other tasks. As with any of these tasks, interruptions can hinder productivity. Given that these devices often connect to corporate networks and access sensitive information
Concurrency patterns in Go: CSP and message passing
Jun 02, 2024 pm 01:08 PM
When programming concurrently in Go, it is crucial to understand and use appropriate patterns. CSP is a concurrency mode based on sequential processes, implemented using Goroutine, and is suitable for simple communication. Message passing is a pattern that uses channels as message queues for communication, and is suitable for complex or multiple Goroutine interaction scenarios. In practical applications, CSP can be used to implement simple message services, sending and receiving messages between different Goroutines through channels.
Deep Dive into JavaScript Content Security Policy (CSP)
Jul 17, 2025 am 02:59 AM
CSP (Content-Security-Policy) is a front-end security mechanism that prevents malicious code injection such as XSS. 1. It declares which resources can be loaded and executed through the HTTP response header. The core idea is the "whitelist" strategy; 2. The setting method is to add Content-Security-Policy fields to the server response header, such as default-src, script-src and other instructions to control different resource types; 3. Inline scripts and eval are blocked by default, and can be temporarily allowed through nonce or hash, but it is recommended to use external script files; 4. Content-Security-Policy-Report can be used in the development stage.
Understanding Content Security Policy (CSP)
Jul 26, 2025 am 07:28 AM
CSPisacriticalsecuritymeasurethathelpspreventXSS,clickjacking,andcodeinjectionattacksbyrestrictingwhichresourcesabrowsercanload.1.ItworksviatheContent-Security-PolicyHTTPheader,enforcingawhitelistoftrustedsources.2.Keydirectivesincludedefault-src,scr
Enhancing Security with Content Security Policy (CSP) in HTML
Jul 15, 2025 am 02:43 AM
CSP is a mechanism to improve web page security by limiting the source of resource loading. The core is to set policies through HTTP headers or meta tags, and control the browser to load only scripts, styles and other resources from the specified source to prevent XSS attacks. To configure CSP, you need to set the Content-Security-Policy header, such as default-src'self' limits the default resource source, script-src specifies the script source that is allowed to be loaded, and style-src controls stylesheet loading. Frequently asked questions after enabled include the resource being intercepted by mistake, which can be reported through report-uri, report-Only mode testing, avoiding the use of 'unsafe-inline' and 'unsaf
A Practical Guide to Content Security Policy (CSP)
Jul 27, 2025 am 04:05 AM
CSPisanHTTPheaderthatblocksunauthorizedscriptsandresources,preventingXSS,clickjacking,anddatainjectionattacksbyallowingonlytrustedsources.2.ImplementitviatheContent-Security-Policyheaderwithdirectiveslikescript-src,style-src,andimg-srctorestrictresou
