{"id":1373,"date":"2024-07-20T18:27:03","date_gmt":"2024-07-20T18:27:03","guid":{"rendered":"https:\/\/hacking.cool\/?p=1373"},"modified":"2024-07-20T18:27:03","modified_gmt":"2024-07-20T18:27:03","slug":"content-security-policy-csp","status":"publish","type":"post","link":"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/","title":{"rendered":"Content Security Policy (CSP)?"},"content":{"rendered":"
\n
\"\"<\/figure><\/div>\n\n\n

Content Security Policy (CSP) is one powerful setting that helps to defend your website. It particularly defends your site from vulnerabilities such as Cross-Site Scripting (XSS) and data injection attacks. It works by defining which sources of content are allowed to be loaded and executed on your web pages.<\/p>\n\n\n\n

How CSP Works<\/h4>\n\n\n\n

CSP is implemented via HTTP headers or HTML meta tags. There, we simply specify allowed sources for different types of content.<\/p>\n\n\n\n

Basic Example of CSP<\/h4>\n\n\n\n

Let\u2019s start with a simple example. Imagine you have a website and you want to ensure that only scripts from your own domain can run. Here\u2019s how you can set up a basic CSP:<\/p>\n\n\n\n

Content-Security-Policy: script-src 'self'<\/code><\/pre>\n\n\n\n
This policy allows only scripts that come from the same origin as your website to execute.<\/p>\n\n\n\n
Inline Scripts<\/strong> <\/p>\n\n\n\n
Now comes one of the most important parts: CSP by default blocks inline scripts (unless specifically allowed). What are inline scripts? <\/p>\n\n\n\n
Lets show it by example of two ways you can run script on your page. <\/p>\n\n\n\n
First example – inline scripts:<\/strong><\/p>\n\n\n\n
<!DOCTYPE html>\n<html>\n<head>\n    <title>My Website<\/title>\n<\/head>\n<body>\n    <h1>Welcome!<\/h1>\n    <script>\n        \/\/ Inline script\n        alert(\"hi there\");\n    <\/script>\n<\/body>\n<\/html><\/code><\/pre>\n\n\n\n
Second example – external script:<\/strong><\/p>\n\n\n\n
Now we will implement the same thing as above, but through an external script “main.js”. Here is its content: <\/p>\n\n\n\n
\/\/ main.js\nalert('hi there');<\/code><\/pre>\n\n\n\n
And then we include our main.js into the main page:<\/p>\n\n\n\n
<!DOCTYPE html>\n<html>\n<head>\n    <title>My Website<\/title>\n    <script src=\"main.js\"><\/script>\n<\/head>\n<body>\n    <h1>Welcome!<\/h1>\n<\/body>\n<\/html><\/code><\/pre>\n\n\n\n
\n\n\n\n
What is the difference between the two examples? They realize the same function. But in the first instance we wrote the script directly into the same page. While in the second example we wrote a separate file for that script and then included that file into the page. First example is called inline scripts<\/strong>. The second one is external script (as the script is in an external file). <\/p>\n\n\n\n
By default, CSP blocks all inline scripts. This means that any XSS attacks where you directly inject some scripts into the page – will also be blocked.<\/p>\n\n\n\n
Preventing External Script Injections<\/h4>\n\n\n\n
CSP can also block scripts from unauthorized sources. Let\u2019s say an attacker tries to inject a script from their own server.<\/p>\n\n\n\n
<script src=\"https:\/\/attacker-server.com\/malicious.js\"><\/script><\/code><\/pre>\n\n\n\n
This won’t work, because “Content-Security-Policy: script-src ‘self’<\/strong>” the script-src ‘self’<\/strong> part ensures only scripts from our own site are permitted to be included like that. CSP will check is the attacker-server.com among the allowed domains? Ah no…it’s not. Hence – the external malicious.js won’t be allowed to be run.<\/p>\n\n\n\n
Later we will discuss how to bypass it properly.<\/p>\n","protected":false},"excerpt":{"rendered":"
Content Security Policy (CSP) is one powerful setting that helps to defend your website. It particularly defends your site from vulnerabilities such as Cross-Site Scripting (XSS) and data injection attacks. It works by defining which sources of content are allowed to be loaded and executed on your web pages. How CSP Works CSP is implemented…<\/span><\/p>\n
Read More<\/a><\/p>\n","protected":false},"author":3,"featured_media":1378,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1373","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"yoast_head":"\nContent Security Policy (CSP)? - hacking.cool<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Content Security Policy (CSP)? - hacking.cool\" \/>\n<meta property=\"og:description\" content=\"Content Security Policy (CSP) is one powerful setting that helps to defend your website. It particularly defends your site from vulnerabilities such as Cross-Site Scripting (XSS) and data injection attacks. It works by defining which sources of content are allowed to be loaded and executed on your web pages. How CSP Works CSP is implemented…Read More\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/\" \/>\n<meta property=\"og:site_name\" content=\"hacking.cool\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-20T18:27:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/ee90e9a1-bd39-414e-8f58-b559bd29bbbe.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1792\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Atom\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Atom\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#website\",\"url\":\"https:\/\/hacking.cool\/atomanya\/\",\"name\":\"hacking.cool\",\"description\":\"is the hacking school \ud83d\udc69\ud83c\udffb\u200d\ud83d\udcbb\ud83e\uddd1\ud83c\udffb\u200d\ud83d\udcbb\ud83d\uddfa\ud83d\udcda\ud83d\udcd6\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/hacking.cool\/atomanya\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/#primaryimage\",\"url\":\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/ee90e9a1-bd39-414e-8f58-b559bd29bbbe.webp\",\"contentUrl\":\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/ee90e9a1-bd39-414e-8f58-b559bd29bbbe.webp\",\"width\":1792,\"height\":1024},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/\",\"url\":\"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/\",\"name\":\"Content Security Policy (CSP)? - hacking.cool\",\"isPartOf\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/#primaryimage\"},\"datePublished\":\"2024-07-20T18:27:03+00:00\",\"dateModified\":\"2024-07-20T18:27:03+00:00\",\"author\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/804a839cfa61d89d69fb2cf1d2f0adc2\"},\"breadcrumb\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/hacking.cool\/atomanya\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Content Security Policy (CSP)?\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/804a839cfa61d89d69fb2cf1d2f0adc2\",\"name\":\"Atom\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ac4d05ec7d617e7f2dee5855900a855a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ac4d05ec7d617e7f2dee5855900a855a?s=96&d=mm&r=g\",\"caption\":\"Atom\"},\"url\":\"https:\/\/hacking.cool\/atomanya\/author\/atom\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Content Security Policy (CSP)? - hacking.cool","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/","og_locale":"en_US","og_type":"article","og_title":"Content Security Policy (CSP)? - hacking.cool","og_description":"Content Security Policy (CSP) is one powerful setting that helps to defend your website. It particularly defends your site from vulnerabilities such as Cross-Site Scripting (XSS) and data injection attacks. It works by defining which sources of content are allowed to be loaded and executed on your web pages. How CSP Works CSP is implemented…Read More","og_url":"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/","og_site_name":"hacking.cool","article_published_time":"2024-07-20T18:27:03+00:00","og_image":[{"width":1792,"height":1024,"url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/ee90e9a1-bd39-414e-8f58-b559bd29bbbe.webp","type":"image\/webp"}],"author":"Atom","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Atom","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/hacking.cool\/atomanya\/#website","url":"https:\/\/hacking.cool\/atomanya\/","name":"hacking.cool","description":"is the hacking school \ud83d\udc69\ud83c\udffb\u200d\ud83d\udcbb\ud83e\uddd1\ud83c\udffb\u200d\ud83d\udcbb\ud83d\uddfa\ud83d\udcda\ud83d\udcd6","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hacking.cool\/atomanya\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/#primaryimage","url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/ee90e9a1-bd39-414e-8f58-b559bd29bbbe.webp","contentUrl":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/ee90e9a1-bd39-414e-8f58-b559bd29bbbe.webp","width":1792,"height":1024},{"@type":"WebPage","@id":"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/","url":"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/","name":"Content Security Policy (CSP)? - hacking.cool","isPartOf":{"@id":"https:\/\/hacking.cool\/atomanya\/#website"},"primaryImageOfPage":{"@id":"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/#primaryimage"},"datePublished":"2024-07-20T18:27:03+00:00","dateModified":"2024-07-20T18:27:03+00:00","author":{"@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/804a839cfa61d89d69fb2cf1d2f0adc2"},"breadcrumb":{"@id":"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/hacking.cool\/atomanya\/content-security-policy-csp\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hacking.cool\/atomanya\/"},{"@type":"ListItem","position":2,"name":"Content Security Policy (CSP)?"}]},{"@type":"Person","@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/804a839cfa61d89d69fb2cf1d2f0adc2","name":"Atom","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/ac4d05ec7d617e7f2dee5855900a855a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ac4d05ec7d617e7f2dee5855900a855a?s=96&d=mm&r=g","caption":"Atom"},"url":"https:\/\/hacking.cool\/atomanya\/author\/atom\/"}]}},"jetpack_featured_media_url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/ee90e9a1-bd39-414e-8f58-b559bd29bbbe.webp","_links":{"self":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/1373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/comments?post=1373"}],"version-history":[{"count":5,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/1373\/revisions"}],"predecessor-version":[{"id":1379,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/1373\/revisions\/1379"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/media\/1378"}],"wp:attachment":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/media?parent=1373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/categories?post=1373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/tags?post=1373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}