Content security policy (CSP)
The site restricts what can be loaded.
Listen
A podcast overview related to Content security policy (CSP) made with Google NotebookLM.
Impact
(How ScanGov measures tasklist priorities.)
Why it's important
A missing or overly permissive Content Security Policy (CSP) can expose a website to security vulnerabilities such as cross-site scripting (XSS) and data injection attacks. By implementing a restrictive CSP, you can define which sources are trusted for loading content, helping to protect your site from malicious activity and improving overall security.User stories
As a website owner, I want to define a Content Security Policy so that I can prevent malicious scripts from executing and protect users from XSS attacks.
As a site visitor, I want the website to load safely and securely without being exposed to malicious content or scripts so that my browsing experience is safe and my data is protected.
Error
(ScanGov messaging when a site fails a standard)
Content Security Policy is missing or too permissive.
Guidance
All government websites should have a content security policy.
Cybersecurity and Infrastructure Security Agency:
Implement a Content Security Policy (CSP). Website owners should also consider implementing a CSP. Implementing a CSP lessens the chances of an attacker successfully loading and running malicious JavaScript on the end user machine.
About
Content Security Policy (CSP) is a security standard that helps protect websites from attacks like cross-site scripting (XSS) by allowing website owners to declare trusted sources of content.
CSP is delivered using HTTP headers or HTML meta tags, and uses directives like default-src, script-src, and img-src to control resource loading. CSP can enforce policies, report violations, and is not a replacement for careful input validation, but a defense-in-depth measure. Strict CSP is more secure using nonces or hashes.
Note: It’s an extra layer of protection, not the primary defense.
Code
Example header:
Content-Security-Policy:
default-src 'self';
script-src 'self' https://example.gov;
style-src 'self' 'unsafe-inline';
img-src 'self' https://example.gov;
font-src 'self' https://example.gov;
object-src 'none';
frame-ancestors 'none';
upgrade-insecure-requests;
Example HTML code:
<!-- Content Security Policy example using meta tag -->
<meta http-equiv="Content-Security-Policy" content="
default-src 'self';
script-src 'self' https://example.gov;
style-src 'self' 'unsafe-inline';
img-src 'self' https://example.gov;
font-src 'self' https://example.gov;
object-src 'none';
frame-ancestors 'none';
upgrade-insecure-requests;
">
Links
- Content Security Policy (18F)
- Reining in the Web with Content Security Policy (Mozilla)
- Content Security Policy (Mozilla)
- Content Security Policy Level 3 (W3C)
- Content Security Policy (Wikipedia)
- Content Security Policy Cheat Sheet (OWASP)