In today’s post, our guest blogger at Selesti fills you in on all you need to know about a content security policy.
Selesti is a Google Premier Partner agency that offers digital marketing as well as web and mobile app development. The company prides itself on the ability to sharpen strategies, get more out of data, put more punch into websites and more power into campaigns.
Let’s see what their in-house experts had to say.
A content security policy (CSP) allows your website to give a user’s web browser a list of instructions to follow. The list can contain many things such as which images are allowed to load, what websites can be used in an iframe, what embed scripts can be used such as YouTube, if SSL should be enforced and more.
By providing an allow list of instructions for what your website can and can’t do, it can help prevent unauthorised code to be executed in the users browser – this means you can mitigate potential credit card skimming scripts, or bitcoin mining! The CSP won’t remove the malicious code from the website – however it can alert you that it exists and prevent the code from executing.
Recently, we took on a new client that wanted us to work on the eCommerce side of their website. When we took a look at the code, we realised that malicious code had been injected into their website. We constructed an allow list for the CSP which put an immediate stop to the unwanted script before auditing the rest of the source code, and thankfully there was no evidence that any user data had been compromised.
A CSP alone does not do anything – you need your development and marketing team to audit the scripts you’re using and construct an allow list of what you need from it. This has a broad range of features such as:
If you’ve decided that a CSP is a great addition to your website, there are a few things to consider while implementing your policy.
The easiest method to retrospectively complete this is by adding the CSP with a completely empty allow list. You can then browse the website and check for all the errors. This lets you see exactly what is going on as you’ve blocked everything.
You can then complete an audit of all these errors deciding which ones you should allow list and which you should not. The tricky thing to balance is knowing how much you should let through. For example if you are using a script on your website hosted via a CDN and decide to allow list that CDN, it means that you’re allow listing everything on that CDN. Thus if somebody uploaded a malicious script to a public CDN, your website will be vulnerable.
Once you’ve created your initial list of rules for your website you should look to launch it in “report-only” mode. This means that the browser will still evaluate the rules, however it will not block anything. This allows you to send all the violations to a central reporting system, At Selesti we’ve built our own for ease of use between marketing and development teams.
Once you’ve been running in ‘report-only’ mode for a few weeks to months (depending on the scale of your website) it might be you’ll have found lots of edge cases which need adding to the allow list. If you’re confident that your set of rules is just right, you can then turn off ‘report-only’ mode and block everything that is not allow listed.
For more implementation details we recommend this Google Fundamentals article https://developers.google.com/web/fundamentals/security/csp/
There are many common entries which we find are added to almost all of our websites such as:
Unfortunately not all websites list the resources they need allow listing. However with time we hope they will eventually publish them. Some are creating collaborative lists to help with this such as https://github.com/nico3333fr/CSP-useful/tree/master/csp-for-third-party-services.
Ultimately, as hackers become more creative in their efforts to access personal information, website owners need to take even greater steps to protect their customers’ data. A content security policy is an excellent way to help make sure those will bad intentions can’t hijack your users.
Check out more guest blogs packed with industry insight from real-life experts in tech and business.