Prevent XSS, clickjacking, code injection attacks by implementing the Content Security Policy (CSP) header in your web page HTTP response. CSP instruct browser to load allowed content to load on the website.
All browsers don’t support CSP, so you got to verify before implementing it. There are three ways you can achieve CSP headers.
- Content-Security-Policy – Level 2/1.0
- X-Content-Security-Policy – Deprecated
- X-Webkit-CSP – Deprecated
If you are still using the deprecated one, then you may consider upgrading to the latest one.
There are multiple parameters possible to implement CSP, and you can refer to OWASP for an idea. However, let’s go through the two most used parameters.
|default-src||Load everything from a defined source|
|script-src||Load only scripts from a defined source|
The following example of loading everything from the same origin in various web servers.
Get the following added in
httpd.conf file and restart the webserver to get effective.
Header set Content-Security-Policy "default-src 'self';"
Add the following in the server block in
add_header Content-Security-Policy "default-src 'self';";
Go to HTTP Response Headers for your respective site in IIS Manager and add the following
Check out this to implement frame-ancestors using CSP. This is an advanced version of X-Frame-Options.