Content security policy (CSP) (Security)

The site restricts what can be loaded.

• Rescan
• Share
  • This page
  • LinkedIn
  • Bluesky
  • Mastodon
  • X
  • Email

Impact

(ScanGov impact)

About

Content Security Policy (CSP) is a security standard that helps protect websites from attacks like cross-site scripting (XSS) by allowing website owners to declare trusted sources of content.

CSP is delivered using HTTP headers or HTML meta tags, and uses directives like default-src, script-src, and img-src to control resource loading. CSP can enforce policies, report violations, and is not a replacement for careful input validation, but a defense-in-depth measure. Strict CSP is more secure using nonces or hashes.

Note: It's an extra layer of protection, not the primary defense.

Why it's important

Helps stop hackers by blocking harmful code from running on your website.

User stories

As a website owner, I want to define a Content Security Policy so that I can prevent malicious scripts from executing and protect users from XSS attacks.

As a site visitor, I want the website to load safely and securely without being exposed to malicious content or scripts so that my browsing experience is safe and my data is protected.

Code

Example header:

Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://example.gov;
  style-src 'self' 'unsafe-inline';
  img-src 'self' https://example.gov;
  font-src 'self' https://example.gov;
  object-src 'none';
  frame-ancestors 'none';
  upgrade-insecure-requests;

Example HTML code:

<!-- Content Security Policy example using meta tag -->
<meta http-equiv="Content-Security-Policy" content="
  default-src 'self';
  script-src 'self' https://example.gov;
  style-src 'self' 'unsafe-inline';
  img-src 'self' https://example.gov;
  font-src 'self' https://example.gov;
  object-src 'none';
  frame-ancestors 'none';
  upgrade-insecure-requests;
">

Error

(ScanGov messaging when a site fails a standard)

Content Security Policy is missing or too permissive.

Guidance

• CISA Website Security

Links

• Content Security Policy (18F)
• Reining in the Web with Content Security Policy (Mozilla)
• Content Security Policy (Mozilla)
• Content Security Policy Level 3 (W3C)
• Content Security Policy (Wikipedia)
• Content Security Policy Cheat Sheet (OWASP)

Indicators

• Security