Cyberattack risks are rising at a high rate. Every day attackers advance their strategies to bypass improved security measures. Cyber attackers target commonly weak content security policies to exploit vulnerabilities and gain access to a site or a network. One of the exploitation methods is via injecting malicious code into existing content on websites. So, reducing the attack surface becomes the content security policies’ duty in this case. Let’s look at the 5 best content security policies for 2022.
What is a Content Security Policy?
Content Security Policy (CSP) is a computer security standard that was developed for preventing malicious content in the web page context. The goal of CSPs is to protect web pages from loading malicious content. This malicious content is mainly caused by code injection attacks. Content Security Policies combat cross-site scripting (XSS), clickjacking, session hijacking, and many more code injection attacks as the second layer of protection. Webpages and applications might contain numerous vulnerabilities. Although CSPs can’t vanish these vulnerabilities, they offer a significant defense for web applications against exploitations. So, it can serve as a tool for external attack surface management to mitigate the threats, especially XSS.
Cyber attackers can exploit vulnerabilities in various ways whether it is a script, inline script, or style. They can even send your credit card information to an attacker’s website with inline scripts or make you click on an infected element on the page unwillingly. Sent-in content security policies to browsers can allow the origins of the resources like scripts and styles. Essentially, content security policies control what page and from where it is allowed to load. Also, CSP is a tool to restrict the content being uploaded through HTTP response header directives or page-level directives of HTML meta tags.
Content Security Policy delivery has three means: CSP header, CSP report-only header, and CSP meta tag. CSP HTTP response header supports the feature set fully. The CSP report-only header allows you to send CSP that doesn’t get enforced. Using “report-to” and “report-uri” directives print violation reports to the console and send them to violation endpoints. In case CSP headers can’t be used, meta tags such as “http-equiv” HTML markup allows you to use CSP. Content security policy meta tags support almost everything but framing protection, CSP violation logging, and sandboxing. The policy flow can be controlled by various directives. These include fetch directives, document directives, navigation directives, reporting directives, special directive sources, hashes, and nonces.
The Best Content Security Policies
1- Basic CSP Policy
In basic CSP, only resources from domain origins are allowed while execution of inline scripts and styles are denied. Basic content security policy blocks cross-site framing and cross-site form submission with this process. With basic CSP, the external attack surface is mitigated remarkably, and therefore security increases.
Basic content security policy has fundamental principles and assumptions. The document domain hosts all of the resources. The website has no need framing by other websites. Form submissions to external websites don’t exist. And scripts and style resources have no inlines or evals. Basic content security only allows content originating from the same domain. These contents include images, scripts, media, objects, and such. The Basic CSP structure refers to:
Content-Security-Policy: default-src ‘self’; frame-ancestors ‘self’; form-action ‘self’;
2- Strict Policy
Strict policy heavily relies on hashes and nonces. Strict CSP prevents injection attacks such as classical stored, reflected, and DOM XSS attacks from executing malicious code. DOM XSS attacks write data from untrusted sources to dangerous sinks and process it. Reflected XSS request data as an HTTP format insecurely to a website or application. Stored XSS injects malicious code into the stored user input in the server. Strict CSPs can protect servers against these attacks. Strict content security policy can be used in two ways and these are moderate strict policies and locked down strict policies.
script-src ‘nonce-r4nd0m’ ‘strict-dynamic’;
object-src ‘none’; base-uri ‘none’;
object-src ‘none’; base-uri ‘none’;
3- Fetch Directive CSP
Fetch directives manage which locations are trusted to load resources from. CSPs with fetch directives protect the server against malicious resource infiltration. A fallback list of fetch directives allows resource granular control. By using fetch directives, developers can also control worker execution and nested browsing contexts, limit content sources, and specify web font sources such as child-src, font-src, and script-src fallback directives. If CSP headers don’t contain directives, the system will integrate default-src by default.
4- Document Directive CSP
By document directives, the browser is informed about document properties to which CSPs apply. A content security policy with document directives restricts resource types loaded in the document. Even a sandbox can be enabled for resource requests. If a value of a directive isn’t specified, all sandbox limitations are enabled.
5- CSP for Preventing Framing Attacks
Framing attacks aim to exploit the vulnerabilities of websites by using third-party content. Clickjacking, cross-site leaks, cross-site framing, and cross-site form submissions can be shown as examples of framing attacks. Clickjacking is a technique in which users are deceived into clicking disguised malicious elements. In other words, users don’t click on what they think it is but malicious code. CSP for preventing framing attacks can be established with many directives. Specific directives for this goal include banning all framing of your content, permitting site framing, and permitting framing from trusted domains.
Content Security Policy (CSP) is an effective protection layer against code injection attacks such as cross-site scripting (XSS), clickjacking, and session hijacking. Remember that CSPs can mitigate the attack surface and make vulnerabilities harder to exploit. So, don’t rely on CSPs as the only protection mechanism.