Getting Started with Content Security Policy (CSP)

CSP (Content Security Policy) is a security standard designed to prevent cross-site scripting (XSS), clickjacking, and other types of code injection attacks. It works by allowing web developers to specify which sources are allowed to execute JavaScript, CSS, and other types of code on a web page. However, implementing and testing CSP can be challenging, which is where the CSP Evaluator comes in.

The CSP Evaluator is a tool that helps web developers and security analysts test their CSP configurations. It was created by the Google Chrome Security Team as an open-source project and is available on GitHub. The tool works by analyzing a website’s CSP configuration and identifying any potential security vulnerabilities.

To use the CSP Evaluator, you first need to generate your website’s CSP configuration. This can be done by adding a Content-Security-Policy header to your web server’s response. The header should contain a list of directives that specify which sources are allowed to execute different types of code. For example, the script-src directive specifies which sources are allowed to execute JavaScript code, while the style-src directive specifies which sources are allowed to execute CSS code.

Once you have generated your website’s CSP configuration, you can use the CSP Evaluator to test it. The tool works by analyzing the CSP configuration and identifying any potential security vulnerabilities. It provides a detailed report that highlights any issues with the configuration and suggests ways to fix them.

One of the key benefits of using the CSP Evaluator is that it can help you identify common mistakes in your CSP configuration. For example, it can identify cases where the default-src directive is too permissive, allowing any source to execute code on your website. It can also identify cases where the script-src directive is too restrictive, preventing legitimate scripts from running on your website.

In addition to identifying potential security vulnerabilities, the CSP Evaluator can also help you optimize your CSP configuration. It can identify cases where certain directives are redundant or unnecessary, allowing you to simplify your configuration and improve your website’s performance.

Overall, the CSP Evaluator is an essential tool for any web developer or security analyst working with CSP. It can help you identify potential security vulnerabilities, optimize your CSP configuration, and ensure that your website is as secure as possible. If you’re working with CSP, be sure to check out the CSP Evaluator and see how it can help you improve your website’s security.

Tools

There’s a number of free tools that can assist with the generating, evaluation and monitoring of content security policy.

It’s very useful to include these types of tools into a web application development process in order to perform a regular automatic first level check (do not replace an manual audit and manual audit must be also conducted regularly).

• w3af audit tools contains a plugin to automatically audit web application to check if they correctly implement CSP policies.
• CSP Tester (browser extension) to build and test the policy for your web application.
• CSP Generator for automatically generating policies (chrome/firefox extension).
• CSP Evaluator for evaluating existing content security policies for security misconfigurations.
• Csper report collector for monitoring a content security policy using report-uri.

The supported directives are:

• default-src : Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback),
• script-src : Define which scripts the protected resource can execute,
• object-src : Define from where the protected resource can load plugins,
• style-src : Define which styles (CSS) the user applies to the protected resource,
• img-src : Define from where the protected resource can load images,
• media-src : Define from where the protected resource can load video and audio,
• frame-src : Define from where the protected resource can embed frames,
• font-src : Define from where the protected resource can load fonts,
• connect-src : Define which URIs the protected resource can load using script interfaces,
• form-action : Define which URIs can be used as the action of HTML form elements,
• sandbox : Specifies an HTML sandbox policy that the user agent applies to the protected resource,
• script-nonce : Define script execution by requiring the presence of the specified nonce on script elements,
• plugin-types : Define the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded,
• report-uri : Specifies a URI to which the user agent sends reports about policy violation