Content Security Policy

*복습 자료라서 뻔한 내용은 생략

 

 

Summary.

 

 

1. Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks

    + 요약하자면 함부로 아무 script나 실행하지 않게끔 Server에서 실행해도 좋을 script (혹은 content)를 따로 지정해주는 것

    + If the site doesn't offer the CSP header, browsers likewise use the standard same-origin policy

    + To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header. (Sometimes you may see mentions of the X-Content-Security-Policy header, but that's an older version and you don't need to specify it anymore)

    + meta 태그로 아래와 같이 설정하는 방법도 있음

<meta http-equiv="Content-Security-Policy"
      content="default-src 'self'; img-src https://*; child-src 'none';">

 

2. A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser's trust in the content received from the server. Malicious scripts are executed by the victim's browser because the browser trusts the source of the content, even when it's not coming from where it seems to be coming from

    + CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those allowed domains, ignoring all other scripts (including inline scripts and event-handling HTML attributes)

    + In addition to restricting the domains from which content can be loaded, the server can specify which protocols are allowed to be used

    + complete data transmission security strategy includes not only enforcing HTTPS for data transfer, but also marking all cookies with the secure attribute and providing automatic redirects from HTTP pages to their HTTPS counterparts. Sites may also use the Strict-Transport-Security HTTP header to ensure that browsers connect to them only over an encrypted channel

 

 

3. Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control what resources the user agent is allowed to load for that page

    + Your policy should include a default-src policy directive, which is a fallback for other resource types when they don't have policies of their own

    ex) A policy needs to include a default-src or script-src directive to prevent inline scripts from running, as well as blocking the use of eval(). A policy needs to include a default-src or style-src directive to restrict inline styles from being applied from a <style> element or a style attribute

Content-Security-Policy: policy

Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com

 

4. To ease deployment, CSP can be deployed in report-only mode

Content-Security-Policy-Report-Only: policy

    + CSP header에서도 report-uri 명시해주면 됨

Content-Security-Policy: default-src 'self'; report-uri http://reportcollector.example.com/collector.cgi

    + 실제 report 내용은 링크 참조 (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#violation_report_syntax)

 

 

Additional.

1. CSP 사용 예시

    + https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#examples_common_use_cases

 

 

Reference.

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP