Understanding and Securing CSP

Content Security Policy (CSP):

CSP plays a very important role in protecting the content displaying it. It simply decide from where content should have to fetch in our application. It adds extra layer of protection that helps in identification and mitigation of content injection vulnerability.

If an unauthorized person wants to inject their content to take the benefits from application, such as can exploit application with XSS, which is sending cookie to a different domain or clickjacking vulnerability, then it will show a error and do not let the application make the request to those arbitrary domain.

CSP by default blocks string evaluation function such as eval(). So if developer wants to use eval() function he have to modify it like Json.parse().

When we use CSP:

i. If browser supports, CSP sets some limitations and tell browser how to behave towards the application and leave unintended content as per CSP implemented.

ii. If browser does not support CSP, browser ignore it and function normally without blocking anything. Sometimes it gives some warnings.

Syntax:

Content-Security-Policy: <directive> <value>; <directive> <value>